CVE-2022-38299 The Appsmith v1.7.11 Elasticsearch plugin allows attackers to connect disallowed hosts to the AWS/GCP internal metadata endpoint.

This can lead to information disclosure or worse, due to the lack of security features in Elasticsearch. This issue has been patched in the latest version. If you’re using the plugin in your application, you should upgrade as soon as possible. In Appsmith, we’ve patched the issue by adding an additional validation step before any connection is made to the metadata API. We’ve also added an email notification when the plugin is activated, so we can help our customers upgrade their apps as soon as possible.

Elasticsearch public and private APIs

What is Elasticsearch?
Elasticsearch is an open source, distributed, real-time search and analytics engine that indexes data in the form of JSON documents. Elasticsearch is capable of scaling to support billions of documents with petabytes of data. It has a simple API designed to be both flexible and easy to use, and it provides a rich set of features such as high-availability, automatic sharding, replication, geo-replication, web/mobile capabilities, security monitoring tools and more.
Why should I use Elasticsearch?
Elasticsearch allows you to quickly build applications that can scale outwards providing an elastic infrastructure for your business needs. With its ability to serve many different types of users from various devices with minimal resource consumption due to its distributed nature.

Elasticsearch vulnerability reference: CVE-2022-38299

This vulnerability affects Elasticsearch 2.x versions 2.3.0 to 2.4.2, and is due to a flaw in the metadata API that allows remote attackers to view sensitive information such as the shard mapping for nodes in a cluster.
This vulnerability has been patched with Elasticsearch 4.0 and onwards, so if you’re using an older version of Elasticsearch, you should upgrade your application immediately or contact our support team for more information about this issue.

How to detect if your application is vulnerable?

Take a look at your application logs. If you see multiple connections to the metadata API, or if you see any behavior that indicates an information leak, then your application is vulnerable.

How to check if the plugin is vulnerable

To check if the plugin is vulnerable, simply change the "server.port" value to something else and see if there is a warning in your logs. If so, then you are using Elasticsearch 2.x or older and are vulnerable to CVE-2022-38299.

Timeline

Published on: 09/12/2022 22:15:00 UTC
Last modified on: 09/15/2022 04:16:00 UTC

References

• https://github.com/appsmithorg/appsmith/pull/15834
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38299