Elasticsearch: The Open Cluster Epidemic

No authentication by default

Elasticsearch ships with security features disabled. Out of the box, anyone who can reach port 9200 has full access to every index, every document, and every cluster setting. There is no login prompt, no API key, no authentication of any kind.

The enumeration chain

1. GET /. confirms Elasticsearch, returns version and cluster name
2. GET /_cat/indices?v. lists every index with document count and size
3. GET /{index}/_search?size=1000. dumps up to 1000 documents from any index
4. GET /_cluster/settings?include_defaults=true. full cluster configuration

What we find in exposed clusters

Elasticsearch is used for logging, search, and analytics. Exposed clusters typically contain:

• Application logs with full request/response bodies (including auth tokens and passwords)
• User search history and behavioral analytics
• Customer PII indexed for search functionality
• Infrastructure metrics revealing internal architecture

Kibana compounds the problem

Kibana (the Elasticsearch UI) also ships with no authentication. If Kibana is exposed, it provides a visual interface to browse every index, run arbitrary queries, and modify cluster settings.

How we detect this

Our scanner:

1. Probes port 9200 for the Elasticsearch banner
2. Requests /_cat/indices to enumerate all indices
3. Samples documents from the first few indices to assess data sensitivity
4. Checks for Kibana on port 5601

Defense

• Enable Elasticsearch Security (X-Pack). it's been free since version 6.8
• Set xpack.security.enabled: true in elasticsearch.yml
• Configure TLS for inter-node and client communication
• Never expose port 9200 or 5601 to the internet
• Use a reverse proxy with authentication if external access is needed