Friday, January 13, 2017

Elasticsearch Installation Security Incident

As of today, attackers have been reportedly scanning for and vandalizing unsecured Elasticsearch installations over the Internet. (See: http://www.pcworld.com/article/3157417/security/after-mongodb-ransomware-groups-hit-exposed-elasticsearch-clusters.html)

Bitnami's security team has reviewed our image library. As a result, we have confirmed that Bitnami virtual machines and single-VM cloud images are not vulnerable to this attack because they do not expose Elasticsearch publicly by default; Elasticsearch is proxied through Apache with authentication.

One Bitnami listing, "Elasticsearch Cluster" on Microsoft Azure, was found to be vulnerable. This listing was removed earlier this week and we are notifying the small number of users who may have installations based on the affected template.

Since the scale of the attack appears to be growing, we recommend that all users of Bitnami Elasticsearch on all cloud platforms check that their installations are secure. Deployments that were secure at launch may have been accidentally opened to the Internet by changing the default configuration. 

We recommend that you immediately ensure that your Elasticsearch is not exposed to the public internet by reviewing:

a) Inbound firewall rules prevent traffic to ports 9200-9300 from the Internet

or

b) Moving any Elasticsearch deployments to private networks

How to restrict access to port 9200 on Microsoft Azure:
1. Login to Microsoft Azure Portal.
2. Using the left hand navigation bar, go to “Resource groups”.
3. Select the resource group your Elasticsearch Cluster application is located in.
4. Select the "Network Security Group" to edit the properties.


5. Select the "Inbound security rules" to close the port 9200 by changing the Action from “Allow” to “Deny”.
6. Click the blue “Save” button at the top of the window.


Additional practices for securing Elasticsearch can be found here: http://code972.com/blog/2017/01/107-dont-be-ransacked-securing-your-elasticsearch-cluster-properly

If you have been affected by this attack or need additional help updating your Bitnami Elasticsearch, please contact us directly through our Helpdesk and we will do our best to assist you. https://bitnami.zendesk.com/hc/en-us.

No comments:

Post a Comment

Please use our community forum if you have any questions community.bitnami.com