Is SearchGuardSSL prone to Information Disclosure issue

[shashanka]

Hi, 

I am wondering if an Elasticsearch server with search guard ssl installed is vulnerable to  information disclosure issue ? 

More information at https://nvd.nist.gov/vuln/detail/CVE-2018-3831 

From the above link that i shared, i understand that x-pack is vulnerable to this security issue as it stores secrets. What about SearchGuardSSL (search guard or other modules are not installed) ? Does SearchguardSSl stores secrets  as dynamic cluster settings,  If yes, what are those and what is the remediation ? 

Here are the details of setup

• SearchGuardSSL and Elasticsearch version : 5.6.9.
  
• No other enterprise modules installed
• JVM Version and operaing System :   Java 7/8 and Windows/Linux

[SG]

SearchGuard and SearchGuarSSL are not vulnerable to the issue described in CVE-2018-3831 because we do not store anything in the cluster state

> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/c24e7278-bafc-49c8-8ccb-7a6008ff7ab7%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.