May 29, 2014
Elasticsearch (http://www.elasticsearch.org/) is a popular open source search server. We were recently made aware of two potential security issues with this software. While these are not issues with AWS, we wanted to ensure that our customers are aware so that they can take appropriate steps.
The first issue is an insecure default configuration for versions of this software earlier than 1.2, outlined in CVE-2014-3120 (http://bouk.co/blog/elasticsearch-rce/). Attackers who take advantage of this insecure configuration can run arbitrary commands with the privileges of the Elasticsearch daemon.
The second issue is a lack of access control that applies to all versions of Elasticsearch. Anyone who can connect to the search port can query or alter any index on the server. These issues pose the greatest risk when an Elasticsearch server is open to the entire Internet and is running on the default port, 9200/tcp.
The most effective way to avoid these issues is to ensure that your search servers cannot be reached by every host on the Internet. You can use EC2 Security Groups to restrict access to 9200/tcp to only those hosts that should be querying your search index - more information on EC2 Security Groups can be found here: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
In addition, if you are running a version of Elasticsearch prior to 1.2, you should disable the dynamic script execution support in Elasticsearch. More about this can be found here: http://bouk.co/blog/elasticsearch-rce/#how_to_secure_against_this_vulnerability
If you are using Elasticsearch in production, we recommend that you audit your security groups and, if necessary, take appropriate steps to restrict access to your Elasticsearch servers.