Following the publication of CVE 2023-45807 and  GHSA-8wx3-324g-w4qq, Instaclustr began investigating its potential impact on our Instaclustr Managed OpenSearch® offering. These vulnerabilities affect all OpenSearch versions up to and including 2.10.0 and up to and including 1.3.13.  

CVE 2023-45807 identified an issue with the implementation of tenant permissions in OpenSearch Dashboards. Specifically, authenticated users with read-only access to a tenant can perform create, edit and delete operations on index metadata of dashboards in that tenant, potentially rendering them unavailable. The CVSS (Common Vulnerability Scoring System) 3.x severity rating for this vulnerability by the NVD (National Vulnerability Database) is base score 5.4 – Medium.  

GHSA-8wx3-324g-w4qq identified an issue with how OpenSearch handles incoming requests on the HTTP layer. As a result, an unauthenticated user can force a node to exit with an OutOfMemory error by sending a number of malformed HTTP requests. The CVSS 3.x severity rating for this vulnerability by the NVD is base score 7.5 – High. 

Impact Analysis – CVE-2023-45807 

Instaclustr performed an investigation into this vulnerability and its potential impact on customers of our Managed OpenSearch Service and assessed its severity rating as 4.0 – Medium on the CVSS v3.1 scale. The findings are listed below:   

• The main risk is that an authenticated user with read-only access to an OpenSearch Dashboards tenant can create, edit and delete index metadata which could make them unavailable in that tenancy to other users. Note that if you do not have an instance of OpenSearch Dashboards running in your cluster, this vulnerability will not affect you.  
• Instaclustr’s Managed OpenSearch Service employs firewall access control which limits where the cluster can be accessed from. This extends to OpenSearch Dashboards, greatly reducing the likelihood of exploit.   
• This vulnerability requires that an attacker’s IP address be added to firewall rules to allow them access to the OpenSearch nodes. This reduces the likelihood of exploit. 

Impact Analysis – GHSA-8wx3-324g-w4qq 

Instaclustr performed an investigation into this vulnerability and its potential impact on customers of our Managed OpenSearch Service and assessed its severity rating as 5.7 – Medium on the CVSS v3.1 scale. The findings are listed below:   

• The main risk identified is that an unauthenticated user can cause OpenSearch to stop processing data.   
• Instaclustr’s Managed OpenSearch Service employs firewall access control which limits where the cluster can be accessed from.   
• This vulnerability requires that an attacker’s IP address be added to firewall rules to allow them access to the OpenSearch nodes. This reduces the likelihood of exploit. 

Mitigation Approaches  

Based on the impacts detailed above, Instaclustr recommends the following actions for customers of our managed OpenSearch service:   

• Review the access permissions to their OpenSearch clusters to ensure access is restricted to the minimum permissions sets, IP addresses, and trusted clients. You can find information about how to manage OpenSearch users, ACLs, and firewall rules on our website.  

Instaclustr Response 

• OpenSearch versions 2.11.0 and 1.3.14 contain the fixes to these vulnerabilities.  

• OpenSearch version 2.11.0 is now available on the Instaclustr Managed Platform.  
• OpenSearch version 1.3.14 is still being developed by the OpenSearch project and is currently slated for release in mid-December. Once released by the project, we will commence work on making it available on the Instaclustr Managed Platform. We will notify customers as soon as this version are available.  

• To ensure these fixes are delivered to all OpenSearch clusters on our Managed Service, our Support team will proactively patch existing clusters by minor version upgrade as part of the scheduled OS patching cycle in January 2024. 
• As described in the impact analysis, reviewing firewall rules to ensure that only traffic from known IP addresses is allowed to access the cluster significantly reduces the likelihood of exploit. However, customers who are concerned about these vulnerabilities affecting their existing clusters can opt in to upgrade via our support team.  

• For customers who do not opt in, please be advised that our Support team will patch your existing cluster version as part of the scheduled OS patching cycle in January 2024.  

• Upon release of the new versions, we recommend that for new clusters, only OpenSearch versions 2.11.0 and 1.3.14 should be used depending on which major version you may be using.    
• We will mark older OpenSearch versions as Closed and subsequently Retired once customer clusters have been upgraded to OpenSearch 2.11.0 and 1.3.14, as per our lifecycle policy.