Security questions about Elasticsearch scripts and Kibana

Elastic Stack Elasticsearch
1

We are using Elasticsearch and Kibana 6.x.

In the past, Elasticsearch has serious security issues with scripting. Some exploits allowed an attacker to execute arbitrary remote commands (e.g: https://www.rapid7.com/db/modules/exploit/multi/elasticsearch/search_groovy_script )

Starting from Elasticsearch 6.x:

  1. Are all the script langages safe when leaving script.allowed_types and script.allowed_contexts to their defaut values?
  2. Is it possible to disable some script langages in Elasticsearch configuration? (e.g. to allow painless only)

Besides, is it safe to expose a Kibana instance to anonymous Internet users if:

  • using a security solution like X-Pack
  • and allowing anonymous users to access, with read-only rights, to indices with public data only
  • and enabling inline scripting
2

Groovy scripting was removed in 6.0. The remaining languages (expressions and painless) are sandboxed and safe.

Is it possible to disable some script langages in Elasticsearch configuration?

Since the builtin languages in elasticsearch are safe, we removed this ability. Any external languages added by plugins can simply be removed as plugins.

is it safe to expose a Kibana instance to anonymous Internet users

While you may be able to protect data with elasticsearch security and anonymous access, opening up a system to the internet always leaves it open to various DOS type attacks. It is generally better to proxy any external access, so you can restrict the access to specific patterns of requests.