Closed
Bug 943087
Opened 11 years ago
Closed 11 years ago
[Bugs ES] Disable MVEL on Public ES cluster
Categories
(Infrastructure & Operations :: IT-Managed Tools, task, P4)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: ekyle, Assigned: dmaher)
References
Details
MVEL scripting has access to the whole JVM. Disable it.
Reporter | ||
Updated•11 years ago
|
Reporter | ||
Comment 1•11 years ago
|
||
http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/modules-scripting.html#_disabling_dynamic_scripts
Reporter | ||
Updated•11 years ago
|
Assignee: nobody → network-operations
Component: General → NetOps
Product: Testing → Infrastructure & Operations
QA Contact: adam
Version: unspecified → other
Reporter | ||
Comment 2•11 years ago
|
||
Public cluster is at elasticsearch[1-3].bugs.scl3.mozilla.com The cluster for private bugs [4-6] requires scripting stay enabled.
Assignee | ||
Updated•11 years ago
|
Assignee: network-operations → server-ops-webops
Component: NetOps → WebOps: IT-Managed Tools
QA Contact: adam → nmaul
Assignee | ||
Updated•11 years ago
|
Assignee: server-ops-webops → dmaher
Priority: -- → P4
Assignee | ||
Comment 3•11 years ago
|
||
My understanding is that the term "public bugs cluster" refers to the fact that only bugs with non-protected flags are indexed. The cluster itself is not open to the public and is in fact behind a series of firewalls and network ACLs. The "public" and "private" bugs clusters are situationally identical. Please confirm that you still want scripting disabled on the "public bugs" cluster.
Flags: needinfo?(klahnakoski)
Reporter | ||
Comment 4•11 years ago
|
||
yes, please disable scripting on the public bugs cluster. The plan is to setup a proxy, and have this open to the public. Before we do this we must run tests to ensure there is no private bugs leaking into this cluster. Here is my naive architecture document (feedback would be appreciated): https://bugzilla.mozilla.org/attachment.cgi?id=8337813 Here is the bug for the proxy (called esFrontLine): https://bugzilla.mozilla.org/show_bug.cgi?id=879833 Here is the security bug for the proxy: https://bugzilla.mozilla.org/show_bug.cgi?id=939081
Flags: needinfo?(klahnakoski)
Reporter | ||
Comment 5•11 years ago
|
||
During security review, there was concern that MVEL scripting has access to the JVM running ElasticSearch. This means ElasticSearch has all the security holes of Java. What confused me was there was concern the box could be rooted using this vector and leverage the IPMI. What is the maximum damage that can be done if an attacker used an Java exploit? Thanks
Assignee | ||
Comment 6•11 years ago
|
||
(In reply to Kyle Lahnakoski [:ekyle] from comment #4) > yes, please disable scripting on the public bugs cluster. The setting has been updated in the Elasticsearch config file; however, it is entirely unclear as to whether this is one of the settings that can be applied dynamically via the API (I suspect not), therefore a cluster restart is required. --- 08:34:22 < phrawzty> ekyle: re bug 943087, i have applied the setting update, but it is not dynamically applicable via the API, so a cluster restart is required. Can I go ahead and do that now? cc mcote 08:36:39 < mcote> phrawzty: yeah you should be fine to do that 08:36:54 < mcote> nothing actively writing to it as far as I know ---
Status: NEW → ASSIGNED
Assignee | ||
Comment 7•11 years ago
|
||
(In reply to Kyle Lahnakoski [:ekyle] from comment #5) > During security review, there was concern that MVEL scripting has access to > the JVM running ElasticSearch. This means ElasticSearch has all the > security holes of Java. What confused me was there was concern the box > could be rooted using this vector and leverage the IPMI. What is the > maximum damage that can be done if an attacker used an Java exploit? Thanks This is an excellent question, and one that could most certainly be answered in great detail by the OpSec team, who (I'm sure) would be more than happy to address your concern at length. I would suggest opening a bug with them - if you do, please CC me on it, as I am also quite curious as to their response. (In reply to Kyle Lahnakoski [:ekyle] from comment #0) > MVEL scripting has access to the whole JVM. Disable it. It is disabled. Happy Thanksgiving!
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•