High risk on elasticsearch 9200/tcp Reported by Nessus

I used Nessus to scan Elaticsearch (5.4.0),and there is one High risk on Elasticsearch:

How can I fix it? thank you.

Interesting, could u pls provide more detail?

Sorry, I have no more detail. Just this report.

Yeah, i mean the full report in this screenshot

What version of Elasticsearch are you running?


Just out of curiosity, which java version is ES using? No idea if that would affect the result or not...

I spent some time looking at the Nessus test and reproducing it. The false positive appears to be the result of Elasticsearch returning the format string in its error message. For example:

➜  ~ nc localhost 9200
GET %#0123456x%08x%x%s%p%n%d%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%#0123456x%%x%%s%%p%%n%%d%%o%%u%%c%%h%%l%%q%%j%%z%%Z%%t%%i%%e%%g%%f%%a%%C%%S%%08x HTTP/1.1

HTTP/1.1 400 Bad Request
content-type: application/json; charset=UTF-8
content-length: 515

{"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"invalid escape sequence `%#0' at index 0 of: %#0123456x%08x%x%s%p%n%d%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%#0123456x%%x%%s%%p%%n%%d%%o%%u%%c%%h%%l%%q%%j%%z%%Z%%t%%i%%e%%g%%f%%a%%C%%S%%08x"}],"type":"illegal_argument_exception","reason":"invalid escape sequence `%#0' at index 0 of: %#0123456x%08x%x%s%p%n%d%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%#0123456x%%x%%s%%p%%n%%d%%o%%u%%c%%h%%l%%q%%j%%z%%Z%%t%%i%%e%%g%%f%%a%%C%%S%%08x"},"status":400}

As Elasticsearch is written in Java we are not vulnerable to traditional format string attacks. Elasticsearch deals with JSON for the input and output such false positives do pop up every now and then as the scanning vendors don't expect this behavior.


Thank you very much!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.