Core 3.1.7 Closes Elasticsearch Security Vulnerability
Core 3.1.7 contains a configuration change that prevents Elasticsearch data from being accessed outside a Core cluster. Previously, Elasticsearch data could be accessed by any machine on the same network. The Elasticsearch head plugin was also removed to help further secure Elasticsearch from outside access.
For information on how to port this configuration change to previous versions of Core see the Knowledge Base Article with the title 'Protecting Geocortex Core from Unwanted Access'
Core 3.1.7 was shipped with GA 1.4.2 and will be shipped with GE 4.10.
0
-
Wayne,
We've used the Elasticsearch head to migrate project data between sites in the past. With the plugin removed, do any methods remain to accomplish this task or is the golden age of GCE Elasticsearch manipulation closing entirely?0 -
Hi Zack,
The Head Plugin is still available, just not available by default. Section "2.4.2 Restore the Head Plugin" of the KBA article mentioned above details how to return the Head Plugin, if are OK with the risks of having it available.
Regards,
Wayne Richard
Latitude Geographics Group Ltd.
Head Office: 300 – 1117 Wharf Street Victoria, BC Canada V8W 1T7
Tel: (250) 381-8130 | Fax: (250) 381-8132 | wrichard@latitudegeo.com
Developers of Geocortex web-based mapping software | www.geocortex.com
An Esri Platinum Business Partner0 -
Wonderful! Thank you. 0 -
I would also, for others, that Zack's Geocortex Analytics is not publicly available. An exposed ElasticSearch Head Plugin is bound to get mucked with by bad actors.
I applaud the default change to the Head Plugin and it should only be exposed if you are comfortable with your current security infrastructure.0 -
But how can you check (with Core v3.1.7), that your cluster is still healthy? Normally I did this by going to the following URL: localhost:19201/_plugin/head/index.html 0 -
Couple ways:
If you go to this location if there is a GeoPost utility
C:\Program Files\Latitude Geographics\Geocortex Core\Diagnostics. In there is a list of different checks you can do. The one you are looking for is this one
https://localhost:19201/_cluster/health
The 2nd way is the Manager for Elasticsearch found in the same folder. Just need to connect to your instance.
The one problem I found without the visual interface is trying to quickly determine which index is the problem if the health is yellow or red. The visual interface was great for that.0 -
To clarify my post from June 14, 2018, the instructions to restore the Head Plugin are now being removed due to an issue with them, I would stick to the method Kevin mentions above, by using GeoPost.
Regards,
Wayne Richard
Latitude Geographics Group Ltd.
Head Office: 300 – 1117 Wharf Street Victoria, BC Canada V8W 1T7
Tel: (250) 381-8130 | Fax: (250) 381-8132 | wrichard@latitudegeo.com
Developers of Geocortex web-based mapping software | www.geocortex.com
An Esri Platinum Business Partner0 -
As Wayne mentioned above, the procedure for restoring the Head plugin is no longer viable and has been removed from the knowledge base article. There are alternate methods to restore the Head plugin - see here:
https://github.com/mobz/elasticsearch-head
Running as a Chrome extension, or downloading the entire pull request and putting all the contents into a 'head' folder in the elasticsearch plugins folder, are the easiest ways. If you use the Chrome extension, you'll need to change the default address to http://localhost:19200.
NB: There is inherent risk in the exposure that comes with the Head plugin. If you choose to use it, it is your responsibility to understand and manage that risk through your security infrastructure.
Thanks,
Aaron Oxley0
Bitte melden Sie sich an, um einen Kommentar zu hinterlassen.
Kommentare
8 Kommentare