Page MenuHomePhabricator
Create Task
Maniphest T297002

Elasticsearch 6.5.4 docker image contains critical security issues
Closed, ResolvedPublicSecurity
Actions

Description

https://access.redhat.com/security/cve/CVE-2021-43527 was made public on December 1 and is included in the Elasticsearch Docker images we release.

Unfortunately per https://hub.docker.com/_/elasticsearch the supported images are not compatible with the extra plugins we use. Using a later images isn't an option. Running updates at build time does also not resolve the problem. It is also unclear to me how serious this issue is in terms of Elasticsearch running, maybe it's not even affected (however NSS seems like it would be used by many components)

Possible solutions

  1. roll a custom image based on something else. The 6.5.4 images doesn't look that complicated
  1. Start looking at something other than elasticsearch, but i guess it's very unclear how much of a drop-in solution this new OpenSearch alternative is?
  1. Bump ElasticSearch to 6.8 or higher? Not possible because org.wikimedia.search:extra plugins are only available for 6.5.4

Related Objects
Search...

Event Timeline

toan created this task.Dec 3 2021, 12:27 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 3 2021, 12:27 PM
toan added a subscriber: WMDE-leszek.Dec 3 2021, 12:28 PM
toan added subscribers: Addshore, Rosalie_WMDE.
toan moved this task from Backlog to Not prioritized/Not Ready/Other on the Wikibase Release Strategy (Wikibase 1.36 Release (wmde.4)) board.Dec 3 2021, 12:31 PM
toan updated the task description. (Show Details)Dec 3 2021, 12:36 PM
toan updated the task description. (Show Details)Dec 3 2021, 12:39 PM
Aklapper removed a subscriber: Wikibase Release Strategy.Dec 4 2021, 12:14 PM

@toan: Please avoid adding project tags as subscribers. Thanks.

Reedy edited projects, added SecTeam-Processed; removed Security-Team.Dec 6 2021, 5:07 PM
toan added a comment.Dec 9 2021, 11:09 AM

Some links from @Addshore

toan added subscribers: Tarrow, Silvan_WMDE, danshick-wmde, karapayneWMDE.Dec 14 2021, 9:42 AM
toan updated the task description. (Show Details)Dec 14 2021, 12:01 PM
WMDE-leszek added a subscriber: dcausse.Dec 14 2021, 12:05 PM

@dcausse would you be able to say what would be steps to determine if Elasticsearch plugins Wikibase/Wikidata uses, i.e. org.wikimedia.search:extra , would work with Elasticsearch 6.8?

I guess that might be a bit challenging path to take, as WMF probably does not have a huge interest in going away from ES 6.5.4 to some other 6.x version -- only a major version bump is probably what you are planning

dcausse added a comment.Dec 14 2021, 1:39 PM

@WMDE-leszek actually WMF will have to deploy ES 6.8 as part of the upgrade to ES7 please see T294499 :)

WMDE-leszek added a comment.Dec 14 2021, 1:52 PM

brilliant, thank you! Do you know any ETA on the ES 6.8 bump @dcausse ? Not asking for a specific date necessarily, more is it a few weeks or few months perspective? WMDE wouldn't mind if it happened tomorrow, of course, just in cases someone wondered what's our view.

dcausse added a comment.EditedDec 14 2021, 2:03 PM
In T297002#7569367, @WMDE-leszek wrote:

brilliant, thank you! Do you know any ETA on the ES 6.8 bump @dcausse ? Not asking for a specific date necessarily, more is it a few weeks or few months perspective? WMDE wouldn't mind if it happened tomorrow, of course, just in cases someone wondered what's our view.

We're hoping to upgrade to 6.8 between January and March (2021) so the plugins should be available early next year I think.

WMDE-leszek added a project: Wikibase Suite Team (Wikibase Suite Maintenance Releases Feb 2022).Feb 6 2022, 12:10 PM
WMDE-leszek moved this task from Backlog to Not prioritized/Not Ready/Other on the Wikibase Suite Team (Wikibase Suite Maintenance Releases Feb 2022) board.
Addshore added a comment.Feb 9 2022, 2:38 PM
In T297002#7569422, @dcausse wrote:
In T297002#7569367, @WMDE-leszek wrote:

brilliant, thank you! Do you know any ETA on the ES 6.8 bump @dcausse ? Not asking for a specific date necessarily, more is it a few weeks or few months perspective? WMDE wouldn't mind if it happened tomorrow, of course, just in cases someone wondered what's our view.

We're hoping to upgrade to 6.8 between January and March (2021) so the plugins should be available early next year I think.

Hi @dcausse, I see some activity on T294499 that might make me believe that a newer version of these plugins is now available?

In T294499#7676228, @gerritbot wrote:

Change 755750 merged by Bking:

[operations/software/elasticsearch/plugins@master] Upgrade to elasticsearch 6.8.23

https://gerrit.wikimedia.org/r/755750

But I also only see 6.5 in https://archiva.wikimedia.org/repository/releases/org/wikimedia/search/extra/ ?

Addshore added a comment.Feb 9 2022, 2:40 PM

https://repo1.maven.org/maven2/org/wikimedia/search/extra/6.8.23-wmf1/

Addshore claimed this task.Feb 9 2022, 2:48 PM
Addshore moved this task from Not prioritized/Not Ready/Other to Doing on the Wikibase Suite Team (Wikibase Suite Maintenance Releases Feb 2022) board.
Addshore removed a project: Wikibase Release Strategy (Wikibase 1.36 Release (wmde.4)).Feb 9 2022, 2:59 PM
Addshore added a parent task: T301359: Prepare wmde.5 (1.36) minor / security release.Feb 9 2022, 3:02 PM
Addshore closed this task as Resolved.Feb 10 2022, 7:13 PM
Addshore changed the visibility from "Custom Policy" to "Public (No Login Required)".
Addshore changed the edit policy from "Custom Policy" to "All Users".
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits