Disable HTTP OPTIONS on port 9200

bhupendra.mskhatri · July 26, 2024, 6:33am

How to disable HTTP OPTIONS on port 9200 which our scan tool is flagging as a vulnerability.
If we cannot, could you please share a reason that I could share with my security team (link to a document would be prefarable)

Musab_Dogan · July 28, 2024, 10:35pm

You can update http.port: 9200 in elasticsearch.yml. Please note that your application must connect with Elasticsearch through a port and by default it's set to 9200.

If the concern related to a browser check the CORS settings.

bhupendra.mskhatri · July 29, 2024, 1:11am

Thankyou for response @Musab_Dogan
The issue is our security tool scans through all the ports and is able to identify that 9200 has OPTIONS enabled.
Even if we change port, it will get highlighted in the next scan cycle.
We would like a way where we could disable the OPTIONS method like we can do it for apachec/jetty/iis.

leandrojmp · July 29, 2024, 2:46am

This is not possible, you cannot disable any http method on Elasticsearch.

bhupendra.mskhatri · July 29, 2024, 3:07am

Thankyou @leandrojmp .
And would it be correct to claim that all http methods on port 9200 are safe i.e. any malicious attack using the http methods on port 9200 is difficult (if not impossible) as access to this port is password protected?

leandrojmp · July 29, 2024, 4:03am

Making an OPTIONS request to Elasticsearch does not require any authentication, it will return which methods are supported in each API endpoint.

Some endpoints will support GET, others will support GET and POST, which depends on each endpoints.

No, this is not correct because some unknown vulnerability may arise that could be exploited.

Being safe or unsafe depend on other factors like if security is configured, if the password used are strong, if the your endpoint is not publicly exposed to the internet, if the stack is up to date, multiple things can make your cluster more safe or unsafe.

Many security scan tools will alert if an HTTP endpoint has the OPTIONS method allowed because this method can be used to know what other methods are supported, but this can also be done in multiple other ways, so this alert is normally just an information alert.

Since you cannot disable OPTIONS in elasticsearch you need to adjust your security scan tool to ignore it in this case.

bhupendra.mskhatri · July 29, 2024, 4:16am

@leandrojmp thanks a lot.
That explanation is real helpful.

system · August 26, 2024, 4:16am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.