Dear friends of Graylog2, it has come to our attention, that a serious vulnerability in one of the essential components that we rely on for the development and operation of Graylog2 has been published. Elasticsearch contains a feature named “dynamic scripting” which allows you to evaluate MVEL expressions to (for example) define your own scoring functions. MVEL also makes it possible for you to read files on the machine it is executed on (in this case the elasticsearch server). Due to elasticsearch having no authentication/authorization mechanism and this features being enabled by default on all versions up to 1.2, this allows anyone with network access to the elasticsearch server to read any file that the operating system user elasticsearch is run as has access too.
As Graylog2 is using an elasticsearch version for message indexing which is affected by this issue, we take this problem very seriously. We pass on this information to you and strongly advise you to check your installation. There is a PoC script available which checks the installation on your local machine at this address: http://bouk.co/blog/elasticsearch-rce/poc.html If the dynamic scripting feature is enabled on your installation, you can disable it by adding the line script.disable_dynamic: true to your elasticsearch configuration file. Besides message indexing, no other Graylog2 data is affected per se by this. All other data (user information, streams, extractors, inputs, dashboards, alerts, …) is stored in mongoDB and not in elasticsearch. If you need more information about this issue, please check this URL http://bouk.co/blog/elasticsearch-rce/ or feel free to send any questions to the mailing list. Kind regards, Dennis Oelkers -- TORCH GmbH Steckelhörn 11 20457 Hamburg Tel +49 (0)40-60945200 https://www.torch.sh Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 Geschäftsführer: Hass Chapman, Lennart Koopmann -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
