Page MenuHomePhabricator

Elasticsearch 6.5.4 docker image contains critical security issues
Closed, ResolvedPublicSecurity

Description

https://access.redhat.com/security/cve/CVE-2021-43527 was made public on December 1 and is included in the Elasticsearch Docker images we release.

Unfortunately per https://hub.docker.com/_/elasticsearch the supported images are not compatible with the extra plugins we use. Using a later images isn't an option. Running updates at build time does also not resolve the problem. It is also unclear to me how serious this issue is in terms of Elasticsearch running, maybe it's not even affected (however NSS seems like it would be used by many components)

Possible solutions

  1. roll a custom image based on something else. The 6.5.4 images doesn't look that complicated
  1. Start looking at something other than elasticsearch, but i guess it's very unclear how much of a drop-in solution this new OpenSearch alternative is?
  1. Bump ElasticSearch to 6.8 or higher? Not possible because org.wikimedia.search:extra plugins are only available for 6.5.4

Event Timeline

@toan: Please avoid adding project tags as subscribers. Thanks.

Some links from @Addshore

@dcausse would you be able to say what would be steps to determine if Elasticsearch plugins Wikibase/Wikidata uses, i.e. org.wikimedia.search:extra , would work with Elasticsearch 6.8?

I guess that might be a bit challenging path to take, as WMF probably does not have a huge interest in going away from ES 6.5.4 to some other 6.x version -- only a major version bump is probably what you are planning

@WMDE-leszek actually WMF will have to deploy ES 6.8 as part of the upgrade to ES7 please see T294499 :)

brilliant, thank you! Do you know any ETA on the ES 6.8 bump @dcausse ? Not asking for a specific date necessarily, more is it a few weeks or few months perspective? WMDE wouldn't mind if it happened tomorrow, of course, just in cases someone wondered what's our view.

brilliant, thank you! Do you know any ETA on the ES 6.8 bump @dcausse ? Not asking for a specific date necessarily, more is it a few weeks or few months perspective? WMDE wouldn't mind if it happened tomorrow, of course, just in cases someone wondered what's our view.

We're hoping to upgrade to 6.8 between January and March (2021) so the plugins should be available early next year I think.

brilliant, thank you! Do you know any ETA on the ES 6.8 bump @dcausse ? Not asking for a specific date necessarily, more is it a few weeks or few months perspective? WMDE wouldn't mind if it happened tomorrow, of course, just in cases someone wondered what's our view.

We're hoping to upgrade to 6.8 between January and March (2021) so the plugins should be available early next year I think.

Hi @dcausse, I see some activity on T294499 that might make me believe that a newer version of these plugins is now available?

Change 755750 merged by Bking:

[operations/software/elasticsearch/plugins@master] Upgrade to elasticsearch 6.8.23

https://gerrit.wikimedia.org/r/755750

But I also only see 6.5 in https://archiva.wikimedia.org/repository/releases/org/wikimedia/search/extra/ ?

Addshore changed the visibility from "Custom Policy" to "Public (No Login Required)".
Addshore changed the edit policy from "Custom Policy" to "All Users".