There are two vulnerabilities in Elasticsearch that I recently patched in my installations.
One is the ‘script’ vuln, mentioned here.
Fix by adding
script.disable_dynamic: true
to your Elasticsearch.yml config file.
The other one has to do with CORS, which exposes data via REST endpoints.
Fix by adding
http.cors.allow-origin: "http://your.FQDN.domain.name"
to your Elasticsearch.yml config file.
In fixing the second one (CORS), I run into a problem where that broke my usage of elasticsearch-head plugin. I use the plugin as a checked out git repo on my laptop and port forward to the actual ES server. E.g. the URL I use is something like this
file:///Users/tinle/src/opensource/elasticsearch-head/index.html?base_uri=http://127.0.0.1:9200/
So I ended up having to patch elasticsearch-head to make it work with CORS.
diff --git a/dist/app.js b/dist/app.js index 5bce2a3..7e58acb 100644 --- a/dist/app.js +++ b/dist/app.js @@ -1188,6 +1188,9 @@ request: function( params ) { return $.ajax( $.extend({ url: this.base_uri + params.path, + /** + * 2014/06/01 tinle + **/ dataType: "jsonp", crossDomain: true, error: function(xhr, type, message) { diff --git a/dist/vendor.js b/dist/vendor.js index fb1a448..2b74180 100644 --- a/dist/vendor.js +++ b/dist/vendor.js @@ -6838,6 +6838,10 @@ jQuery.each( [ "get", "post" ], function( i, method ) { return jQuery.ajax({ type: method, url: url, + /** + * HACK 2014/06/03 tinle + */ + crossDomain: true, data: data, success: callback, dataType: type @@ -14439,4 +14443,4 @@ under the License. } throw "could not process value " + v; }; -})(); \ No newline at end of file +})();
Updated: 6/4/2014 – I think the above patch should work. I’ve been using it last few days and I am able to GET/PUT/POST, e.g. make changes to ES via elasticsearch-head.