Why traffic between filebeat and elasticsearch contains “Apache Struts2 OGNL Remote Code Execution Vulnerability”

wlane · May 4, 2023, 7:37am

Hi guys,

We used Filebeat to send application logs to Elasticsearch. And these two components are deployed in different environments with firewall PaloAlto in between.

We found that after transmitting for a period of time, there will be a "connection reset by peer" error in the filebeat log. After investigation, we found the PaloAlto identified this traffic as a threat and detected "apache struts2 ognl remote code execution vulnerability" in this traffic.

I am not sure if Elasticsearch uses the apache struct2 framework, and I checked the security advisories and did not find security issues of this kind, so how did this happen？

Thanks.

warkolm · May 4, 2023, 11:41pm

You'd need to ask palo alto, their product is the one doing this.

wlane · May 8, 2023, 1:42am

Thanks, and I think I need to know if Elasticsearch uses the apache struct2 framework before asking Palo Alto.

warkolm · May 8, 2023, 2:44am

Elasticsearch doesn't use struts as far as I know.

system · June 5, 2023, 2:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.