Why traffic between filebeat and elasticsearch contains “Apache Struts2 OGNL Remote Code Execution Vulnerability”

Hi guys,

We used Filebeat to send application logs to Elasticsearch. And these two components are deployed in different environments with firewall PaloAlto in between.

We found that after transmitting for a period of time, there will be a "connection reset by peer" error in the filebeat log. After investigation, we found the PaloAlto identified this traffic as a threat and detected "apache struts2 ognl remote code execution vulnerability" in this traffic.

I am not sure if Elasticsearch uses the apache struct2 framework, and I checked the security advisories and did not find security issues of this kind, so how did this happen?


You'd need to ask palo alto, their product is the one doing this.

Thanks, and I think I need to know if Elasticsearch uses the apache struct2 framework before asking Palo Alto.

Elasticsearch doesn't use struts as far as I know.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.