Critical Risk on Elasticsearch 9200 / tcp / www Reported by Nessus

(Caixia Chi) #1

I used Nessus to scan Elaticsearch server, it reports there is one Critical risk on Elasticsearch issue:

Severity Plugin Id Name
Critical (10.0) 10169 OpenLink Web Configurator GET Request Remote Overflow

For this OpenLink Web Configurator GET Request Remote Overflow, Nessus reports that:

Synopsis :The remote web server has an application that is affected by a bufferoverflow vulnerability.
Description :It is possible to crash the remote web server by sending overly longGET requests. An attacker may exploit this issue to crash the remoteweb server or execute arbitrary code on the remote system.

Are there any analysis and planned solutions for this issue in the forum?


(David Pilato) #2


Thanks for opening this. Could you send your question to security (at) elastic (dot) co so folks can check and answer you directly?

In this email can you describe which API endpoint is concerned?

Thanks a lot

(Mark Walkom) #3

This appears to be related to this CVE

But ES is not OpenLink, so I think this is a false positive.

(Caixia Chi) #4

"OpenLink web config buffer overflow" is a type of issues when Nessus sends large GET requests to specific directory of web server and web server responded with non-NULL response. It's not necessarily related with OpenLink software. The following is source code of Nessus plugin 10169. Are there max-length message limitation for requests sent to Elasticsearch? Will it always process it? This is the issue why Nessus reports it.

This script was written by Renaud Deraison

See the Nessus Scripts License for details

script_version ("$Revision: 1.18 $");
name["english"] = "OpenLink web config buffer overflow";
name["francais"] = "D閜assement de buffer dans la config web de OpenLink";
script_name(english:name["english"], francais:name["francais"]);

desc["english"] = "It is possible to make the remote server execute
arbitrary code by sending one of these two URLs :

GET /cgi-bin/testcono?AAAAA[...]AAA HTTP/1.0

Solution : Upgrade.
Risk factor : High";

desc["francais"] = "Il est possible de faire executer du code arbitraire
au serveur en lui envoyant une des requ?tes :

GET /cgi-bin/testcono?AAAAA[...]AAA HTTP/1.0

Solution : Mettez le ? jour.
Facteur de risque : Elev�";

script_description(english:desc["english"], francais:desc["francais"]);

summary["english"] = "OpenLink buffer overflow";
summary["francais"] = "D閜assement de buffer dans OpenLink";
script_summary(english:summary["english"], francais:summary["francais"]);


script_copyright(english:"This script is Copyright (C) 1999 Renaud Deraison",
francais:"Ce script est Copyright (C) 1999 Renaud Deraison");
family["english"] = "Gain root remotely";
family["francais"] = "Passer root ? distance";
script_family(english:family["english"], francais:family["francais"]);
script_dependencie("find_service.nes", "httpver.nasl");

The script code starts here


port = 8000;

data = http_get(item:crap(4096), port:port);
soc = http_open_socket(port);
send(socket:soc, data:data);
b = recv_line(socket:soc, length:1024);
else exit(0);

foreach dir (cgi_dirs())
soc2 = http_open_socket(port);
data = http_get(item:string(dir, "/testcono?", crap(2000)), port:port);
send(socket:soc, data:data);
c = recv_line(socket:soc, length:1024);

(Mark Walkom) #5

What version of ES are you on?

(Caixia Chi) #6

We are in 2.4.1 now, are there max length limitation/configuration on incoming requests in later releases?
We have plan to move to 5.2.1 in later releases.

(Mark Walkom) #7

There is http.max_content_length, which defaults to 100 megs.

(Clinton Gormley) #8

There is also http.max_initial_line_length which defaults to 4kB.

This report is bogus. You can't use a test built for openlink to test anything about elasticsearch. Just try the actual requests the script is sending and you'll see that you get back an error message until you pass the max_initial_line_length, after which you get back an empty response as Elasticsearch closes the connection

(Caixia Chi) #9

OK, thanks a lot for the input! It's quite helpful!
If http.max_content_length is exceeded, will the connections be closed too?

(Clinton Gormley) #10

Yes it will

(system) #11

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.