There are two vulnerabilities in Elasticsearch that I recently patched in my installations.
One is the ‘script’ vuln, mentioned here.
Fix by adding
script.disable_dynamic: true
to your Elasticsearch.yml config file.
The other one has to do with CORS, which exposes data via REST endpoints.
Fix by adding
http.cors.allow-origin: "http://your.FQDN.domain.name"
to your Elasticsearch.yml config file.
In fixing the second one (CORS), I run into a problem where that broke my usage of elasticsearch-head plugin. I use the plugin as a checked out git repo on my laptop and port forward to the actual ES server. E.g. the URL I use is something like this
file:///Users/tinle/src/opensource/elasticsearch-head/index.html?base_uri=http://127.0.0.1:9200/
So I ended up having to patch elasticsearch-head to make it work with CORS.
diff --git a/dist/app.js b/dist/app.js
index 5bce2a3..7e58acb 100644
--- a/dist/app.js
+++ b/dist/app.js
@@ -1188,6 +1188,9 @@
request: function( params ) {
return $.ajax( $.extend({
url: this.base_uri + params.path,
+ /**
+ * 2014/06/01 tinle
+ **/
dataType: "jsonp",
crossDomain: true,
error: function(xhr, type, message) {
diff --git a/dist/vendor.js b/dist/vendor.js
index fb1a448..2b74180 100644
--- a/dist/vendor.js
+++ b/dist/vendor.js
@@ -6838,6 +6838,10 @@ jQuery.each( [ "get", "post" ], function( i, method ) {
return jQuery.ajax({
type: method,
url: url,
+ /**
+ * HACK 2014/06/03 tinle
+ */
+ crossDomain: true,
data: data,
success: callback,
dataType: type
@@ -14439,4 +14443,4 @@ under the License.
}
throw "could not process value " + v;
};
-})();
\ No newline at end of file
+})();
Updated: 6/4/2014 – I think the above patch should work. I’ve been using it last few days and I am able to GET/PUT/POST, e.g. make changes to ES via elasticsearch-head.
You must be logged in to post a comment.