Closed Bug 943087 Opened 11 years ago Closed 11 years ago

[Bugs ES] Disable MVEL on Public ES cluster

Categories

(Infrastructure & Operations :: IT-Managed Tools, task, P4)

Product:
Infrastructure & Operations
Component:
IT-Managed Tools
Platform:
x86_64
Windows 7
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: ekyle, Assigned: dmaher)

References

Details

MVEL scripting has access to the whole JVM.  Disable it.
Blocks: 879833, 872363
Assignee: nobody → network-operations
Component: General → NetOps
Product: Testing → Infrastructure & Operations
QA Contact: adam
Version: unspecified → other
Public cluster is at elasticsearch[1-3].bugs.scl3.mozilla.com 

The cluster for private bugs [4-6] requires scripting stay enabled.
Assignee: network-operations → server-ops-webops
Component: NetOps → WebOps: IT-Managed Tools
QA Contact: adam → nmaul
Assignee: server-ops-webops → dmaher
Priority: -- → P4
My understanding is that the term "public bugs cluster" refers to the fact that only bugs with non-protected flags are indexed.  The cluster itself is not open to the public and is in fact behind a series of firewalls and network ACLs.  The "public" and "private" bugs clusters are situationally identical.

Please confirm that you still want scripting disabled on the "public bugs" cluster.
Flags: needinfo?(klahnakoski)
yes, please disable scripting on the public bugs cluster.

The plan is to setup a proxy, and have this open to the public.  Before we do this we must run tests to ensure there is no private bugs leaking into this cluster.  

Here is my naive architecture document (feedback would be appreciated):
https://bugzilla.mozilla.org/attachment.cgi?id=8337813

Here is the bug for the proxy (called esFrontLine):
https://bugzilla.mozilla.org/show_bug.cgi?id=879833

Here is the security bug for the proxy:
https://bugzilla.mozilla.org/show_bug.cgi?id=939081
Flags: needinfo?(klahnakoski)
During security review, there was concern that MVEL scripting has access to the JVM running ElasticSearch.  This means ElasticSearch has all the security holes of Java.   What confused me was there was concern the box could be rooted using this vector and leverage the IPMI.  What is the maximum damage that can be done if an attacker used an Java exploit?  Thanks
(In reply to Kyle Lahnakoski [:ekyle] from comment #4)
> yes, please disable scripting on the public bugs cluster.

The setting has been updated in the Elasticsearch config file; however, it is entirely unclear as to whether this is one of the settings that can be applied dynamically via the API (I suspect not), therefore a cluster restart is required.

---
08:34:22 < phrawzty> ekyle: re bug 943087, i have applied the setting update, but it is not dynamically applicable via the API, so a cluster restart is required.  Can I go ahead and do that now?  cc mcote
08:36:39 < mcote> phrawzty: yeah you should be fine to do that
08:36:54 < mcote> nothing actively writing to it as far as I know
---
Status: NEW → ASSIGNED
(In reply to Kyle Lahnakoski [:ekyle] from comment #5)
> During security review, there was concern that MVEL scripting has access to
> the JVM running ElasticSearch.  This means ElasticSearch has all the
> security holes of Java.   What confused me was there was concern the box
> could be rooted using this vector and leverage the IPMI.  What is the
> maximum damage that can be done if an attacker used an Java exploit?  Thanks

This is an excellent question, and one that could most certainly be answered in great detail by the OpSec team, who (I'm sure) would be more than happy to address your concern at length.  I would suggest opening a bug with them - if you do, please CC me on it, as I am also quite curious as to their response.

(In reply to Kyle Lahnakoski [:ekyle] from comment #0)
> MVEL scripting has access to the whole JVM.  Disable it.

It is disabled.  Happy Thanksgiving!
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.