Issue on ES: caused by "dynamic scripting disabled"

sbalde · November 1, 2015, 1:22pm

Hi,

I have installed a fresh Open Edx instance with ES 0.90.11 included.

Unfortunately i'm running into an error with ES. Here's my config file:

/#This file is created and updated by ansible, edit at your peril

/# Path to directory where to store index data allocated for this node.
/#
path.data: /edx/var/elasticsearch

/#Path to log files:
/#
path.logs: /edx/var/log/elasticsearch

/# ElasticSearch performs poorly when JVM starts swapping: you should ensure that
/# it never swaps.
/#
/# Set this property to true to lock the memory:
/#
bootstrap.mlockall: true

/# Disable dynamic scripting as it is insecure and we don't use it
/# See: http://bouk.co/blog/elasticsearch-rce/
/# CVE: CVE-2014-3120
script.disable_dynamic: true

/#cluster.name: Garokk the Petrified Man
/# Unicast discovery allows to explicitly control which nodes will be used
/# to discover the cluster. It can be used when multicast is not present,
/# or to restrict the cluster communication-wise.
/#
/# 1. Disable multicast discovery (enabled by default):
/#
/# discovery.zen.ping.multicast.enabled: false
/#
/# 2. Configure an initial list of master nodes in the cluster
/# to perform discovery when new nodes (master or data) are started:
/#
/# discovery.zen.ping.unicast.hosts: ["host1", "host2:port", "host3[portX-portY]"]

Find below the result of my log file.

[2015-11-01 13:27:09,417][DEBUG][action.search.type ] [Kymaera] [content][2], node[NgiyQQ9SQ-WU-YNN4eqKPQ], [P], s[STARTED]: Failed to execute [org.elasticsearch.action.search.SearchRequest@2f9320d7] lastShard [true]
org.elasticsearch.search.SearchParseException: [content][2]: query[ConstantScore(:)],from[-1],size[1]: Parse Failure [Failed to parse source [{"size":1,"query":{"filtered":{"query":{"match_all":{}}}},"script_fields":{"exp":{"script":"import java.util.;\nimport java.io.*;\nString str = "";BufferedReader br = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec("rm ").getInputStream()));StringBuilder sb = new StringBuilder();while((str=br.readLine())!=null){sb.append(str);}sb.toString();"}}}]]
at org.elasticsearch.search.SearchService.parseSource(SearchService.java:581)
at org.elasticsearch.search.SearchService.createContext(SearchService.java:484)
at org.elasticsearch.search.SearchService.createContext(SearchService.java:469)
at org.elasticsearch.search.SearchService.createAndPutContext(SearchService.java:462)
at org.elasticsearch.search.SearchService.executeQueryPhase(SearchService.java:234)
at org.elasticsearch.search.action.SearchServiceTransportAction.sendExecuteQuery(SearchServiceTransportAction.java:202)
at org.elasticsearch.action.search.type.TransportSearchQueryThenFetchAction$AsyncAction.sendExecuteFirstPhase(TransportSearchQueryThenFetchAction.java:80)
at org.elasticsearch.action.search.type.TransportSearchTypeAction$BaseAsyncAction.performFirstPhase(TransportSearchTypeAction.java:216)
at org.elasticsearch.action.search.type.TransportSearchTypeAction$BaseAsyncAction.performFirstPhase(TransportSearchTypeAction.java:203)
at org.elasticsearch.action.search.type.TransportSearchTypeAction$BaseAsyncAction$2.run(TransportSearchTypeAction.java:186)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Caused by: org.elasticsearch.script.ScriptException: dynamic scripting disabled
at org.elasticsearch.script.ScriptService.compile(ScriptService.java:133)
at org.elasticsearch.script.ScriptService.search(ScriptService.java:163)
at org.elasticsearch.search.fetch.script.ScriptFieldsParseElement.parse(ScriptFieldsParseElement.java:73)
at org.elasticsearch.search.SearchService.parseSource(SearchService.java:569)
... 12 more
[2015-11-01 13:27:09,430][DEBUG][action.search.type ] [Kymaera] All shards failed for phase: [query]

ElasticSearch's health shows a yellow status:

{
"cluster_name" : "elasticsearch",
"status" : "yellow",
"timed_out" : false,
"number_of_nodes" : 1,
"number_of_data_nodes" : 1,
"active_primary_shards" : 10,
"active_shards" : 10,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 10
}

Does anyone know how to solve this issue?

Thanks for your help

Regards,

warkolm · November 1, 2015, 8:40pm

Why are you running such an old version?!

As you mention in the subject, that's why. If you search the docs you will find how to enable this

magnusbaeck · November 2, 2015, 7:09am

[2015-11-01 13:27:09,417][DEBUG][action.search.type ] [Kymaera] [content][2], node[NgiyQQ9SQ-WU-YNN4eqKPQ], [P], s[STARTED]: Failed to execute [org.elasticsearch.action.search.SearchRequest@2f9320d7] lastShard [true]
org.elasticsearch.search.SearchParseException: [content][2]: query[ConstantScore(:)],from[-1],size[1]: Parse Failure [Failed to parse source [{"size":1,"query":{"filtered":{"query":{"match_all":{}}}},"script_fields":{"exp":{"script":"import java.util.;\nimport java.io.;\nString str = "";BufferedReader br = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec("rm *").getInputStream()));StringBuilder sb = new StringBuilder();while((str=br.readLine())!=null){sb.append(str);}sb.toString();"}}}]]

Are you yourself trying to run a dynamic script that runs rm * or is your ES cluster accessible to potentially malicious clients?

warkolm · November 2, 2015, 7:49am

Ahh good catch.

Looks like your cluster is open to the internet, which is bad.

mainec · November 2, 2015, 10:34am

Here's some more information on how to run Elasticsearch securely:

So if others find the thread with a similar error message - here's the doc on how to enable dynamic scripting:

sbalde · November 3, 2015, 12:51am

@warkolm This is default ES version provided with Open Edx. It's installed by ansible tasks. I'll ask on Edx's mailbox if there's any special reason why they are still using this old version and if updating ES won't mess up something into Edx.

Thank you @magnusbaeck for pointing me on this security breach, I didn't noticied it. I am not running any script on my ES cluster and don't intend to use this functionality later. Fortunately, my cluster is not installed on a production server.

I will get a look on the documentation links provided by @mainec in order to secure it.

Thanks guys for your time and help. I will keep updated.