Previously I highlighted the release of an exploit to elastic search that results in the ability to execute unauthorized code on a server running elasticsearch 1.1.x. It has just been reported that this same exploit is now being used to install DDOS (distributed denial of service) bots on vulnerable machines hosted within AWS. Elasticsearch instances should always be treated like a database and not be directly exposed to the internet. As a minimum you should be using plugins to nginx to get JSON functionality direct from the web server and have it act as a proxy to back end processes like elastic search.
forward secrecy In cryptography, forward secrecy (abbreviation: FS, also known as perfect forward secrecy or PFS) is a property of key-agreement protocols ensuring that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future. The key used to protect transmission of data must not be used to derive any additional keys, and if the key used to protect transmission of data is derived from some other keying material, then that material must not be used to derive any more keys.
Elasticsearch has a flaw in its default configuration which makes it possible for any webpage to execute arbitrary code on visitors with Elasticsearch installed. If you’re running Elasticsearch in development please read the instructions on how to secure your machine. Elasticsearch version 1.2 (which is unreleased as of writing) is not vulnerable to remote code execution, but still has some security concerns.
further reading http://bouk.co/blog/elasticsearch-rce/
A new kernel bug has been discovered that allows local users to possibly corrupt memory causing a system crash or gain super user privileges by triggering a race condition with the tty driver involving read and write operations with long strings. Administrators of Linux are advised to upgrade any kernel from 2.6.31-rc3 to 3.14.3 as soon as possible.
Proof-of-concept code has already been made available here and here.
further reading http://cve.
With all the recent talk about how NSA is reading archived email I thought it might be worthwhile to share how I secure my archived email with the wider audience.
Being the data pack rat I’ve managed to keep a copy of my Inbox for the last 5 years. As you can imagine this gives me quite a large piece of data. I wanted to keep a copy of this online at all times but ensure that I was the only one able to view it contents.
