Important security fix for Search Guard 2 released. Update strongly recommended.

Today we released the 4th release for Search Guard 2 for Elasticsearch 2.3.4 and Elasticsearch 2.3.3

This release is a security bugfix release which contains two important security fixes (see the bold marked changes below)

and therefore we strongly recommend to update to Search Guard 2.3.3.4 or 2.3.4.4 (according to which ES version you are running)

Details: https://github.com/floragunncom/search-guard/wiki
Changelog: https://github.com/floragunncom/search-guard/wiki/Changelog

  • Make sgadmin more verbose and make it checking if updates succeed
  • Do not set a default HTTP authenticator. This can lead to unintended configuration behaviour where the http authentication gets mixed with transport layer authentication.
  • ***Replace unsafe Arrays.hash() method with SHA-256 hash to cope with #186(thanks to ***Vladimir Gordiychuk)
  • Fix possible deserialization vulnerability

Commercial support is also available here https://floragunn.com/searchguard/searchguard-license-support/

Search Guard (®) is an Elasticsearch plugin that offers encryption, authentication and authorisation. It builds on Search Guard SSL and provides pluggable auth/auth modules in addition.