Jon Gaines, senior application security consultant at nVisium, said the Elastic Stack is “notorious for excessive data exposure” and added that a few years ago — and by default — data was exposed publicly. Since then the defaults have changed but he noted that this doesn’t mean that older versions aren’t grandfathered in or that minor configuration changes can’t lead to both of these newly unearthed vulnerabilities.
“There are — and have been — multiple open source tools that lead to the discovery of these vulnerabilities that I’ve used previously and continue to use. Unfortunately, the technical barrier of these vulnerabilities is extremely low. As a result, the risk of a bad guy discovering and exploiting these vulnerabilities is high,” Gaines said.
“From the outside looking in, these vulnerabilities are common sense for security professionals, authorization, rate limitations, invalidation, parameterized queries, and so forth. However, as a data custodian, administrator, or even developer, oftentimes you aren’t taught to develop or maintain with security in mind.”