Important security fix for Search Guard 2 released. Update strongly recommended.

Today we released the 4th release for Search Guard 2 for Elasticsearch 2.3.4 and Elasticsearch 2.3.3

This release is a security bugfix release which contains two important security fixes (see the bold marked changes below)

and therefore we strongly recommend to update to Search Guard or (according to which ES version you are running)


  • Make sgadmin more verbose and make it checking if updates succeed
  • Do not set a default HTTP authenticator. This can lead to unintended configuration behaviour where the http authentication gets mixed with transport layer authentication.
  • ***Replace unsafe Arrays.hash() method with SHA-256 hash to cope with #186(thanks to ***Vladimir Gordiychuk)
  • Fix possible deserialization vulnerability

Commercial support is also available here

Search Guard (®) is an Elasticsearch plugin that offers encryption, authentication and authorisation. It builds on Search Guard SSL and provides pluggable auth/auth modules in addition.