Is SearchGuardSSL prone to Information Disclosure issue

Hi,

I am wondering if an Elasticsearch server with search guard ssl installed is vulnerable to information disclosure issue ?

More information at https://nvd.nist.gov/vuln/detail/CVE-2018-3831

From the above link that i shared, i understand that x-pack is vulnerable to this security issue as it stores secrets. What about SearchGuardSSL (search guard or other modules are not installed) ? Does SearchguardSSl stores secrets as dynamic cluster settings, If yes, what are those and what is the remediation ?

Here are the details of setup

  • SearchGuardSSL and Elasticsearch version : 5.6.9.
  • No other enterprise modules installed
  • JVM Version and operaing System : Java 7/8 and Windows/Linux

SearchGuard and SearchGuarSSL are not vulnerable to the issue described in CVE-2018-3831 because we do not store anything in the cluster state

···

Am 11.02.2019 um 14:02 schrieb shashanka <SHASHANKA981@gmail.com>:

Hi,

I am wondering if an Elasticsearch server with search guard ssl installed is vulnerable to information disclosure issue ?

More information at https://nvd.nist.gov/vuln/detail/CVE-2018-3831

From the above link that i shared, i understand that x-pack is vulnerable to this security issue as it stores secrets. What about SearchGuardSSL (search guard or other modules are not installed) ? Does SearchguardSSl stores secrets as dynamic cluster settings, If yes, what are those and what is the remediation ?

Here are the details of setup

  • SearchGuardSSL and Elasticsearch version : 5.6.9.
  • No other enterprise modules installed
  • JVM Version and operaing System : Java 7/8 and Windows/Linux

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/c24e7278-bafc-49c8-8ccb-7a6008ff7ab7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.