Search Guard v15

Release Date: August 08, 2017

Critical Security Fix

  • DLS/FLS leaking information when multitenancy module is installed and “do not fail on forbidden” is activated

If multitenancy module is installed and the “do not fail on forbidden” feature is activated in sg_config like:

      do_not_fail_on_forbidden: true

The DLS/FLS module can leak information if the user does not have permissions for all indices in a query or get action.

This affects all versions of Search Guard up to and including v14 with Elasticsearch 5.0.2 or higher, and includes the REST and the transport layer. Please upgrade to Search Guard v15 immediately. Search Guard 15 is a drop-in replacement for v14, no changes in any configuration is required.

Features (only available for ES 5.4.3 and higher)

  • Search Guard can now be disabled in elasticsearch.yml by setting:
    • searchguard.disabled: true
    • Caution: This will disable all security features and also exposes the internal Search Guard index
  • Make user cache timeout configurable, incl. disabling it completely
    • The internal user cache ttl can be set in elasticsearch.yml now
    • searchguard.cache.ttl_minutes: <integer, ttl in minutes>
    • Setting this value to 0 disables the cache completely
  • Documented TLS Client-Initiated Renegotiation
  • Support for multiple filtered index aliases
  • Support for email address in certificates
    • The DN of node and admin certificates can now contain the (deprecated) emailAddress field
    • This is for backward compatibility, email addresses should usually be stored in the SAN entry
  • Sanity checks for DLS/FLS settings
    • An error is now logged if invalid DLS/FLS settings are detected