HIGH: Open Elasticsearch Report

DESCRIPTION LAST UPDATED: 2023-12-11

DEFAULT SEVERITY LEVEL: HIGH

This report identifies hosts that have Elasticsearch running and accessible on the Internet.

On its own, Elasticsearch does not support authentication or restrict access to the datastore, so it is possible that any entity that can access the Elasticsearch instance may have complete control to do what they will with it. The probe that we are using is a “GET / HTTP/1.1” sent to port 9200/tcp.

See https://www.elastic.co/products/elasticsearch for more information on Elasticsearch.

You view exposed Elasticsearch instances on our Dashboard.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page.

Filename(s): scan_elasticsearch, scan6_elasticsearch

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the Elasticsearch response came on (always TCP)
  • port
    Port that the Elasticsearch response came from (9200/TCP)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Will always be elasticsearch
  • version
    Elasticsearch version number
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • ok
    Indicator that everything is functioning properly (only present in ES instances pre-v1.0)
  • name
    The identifying (trivial) name of the Elasticsearch instance
  • cluster_name
    The name of the Elasticsearch cluster that the instance belongs to (if any)
  • status
    Usually "200" meaning that everything is working
  • build_hash
    Hash of the running version of Elasticsearch
  • build_timestamp
    Timestamp of when the running version of Elasticsearch was built
  • build_snapshot
    Whether snapshots are enabled
  • lucene_version
    Version of Apache Lucene that Elasticsearch is using
  • tagline
    Tagline
  • sector
    Sector to which the device belongs to

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","version","asn","geo","region","city","naics","hostname_source","ok","name","cluster_name","http_code","build_hash","build_timestamp","build_snapshot","lucene_version","tagline","sector"
"2010-02-10 00:00:00",low,192.168.0.1,tcp,5555,node01.example.com,elasticsearch,6.8.13,64512,ZZ,Region,City,0,,,mcRPI7d,elasticsearch,,be13c69,,false,7.7.3,"You Know, for Search",
"2010-02-10 00:00:01",low,192.168.0.2,tcp,8000,node02.example.com,elasticsearch,5.5.2,64512,ZZ,Region,City,0,,,datagrand_2,datagrand_search,,b2f0c09,,false,6.6.0,"You Know, for Search",
"2010-02-10 00:00:02",low,192.168.0.3,tcp,8001,node03.example.com,elasticsearch,6.8.2,64512,ZZ,Region,City,0,ptr,,s941BLW,docker-cluster,,b506955,,false,7.7.0,"You Know, for Search","Retail Trade"

Our 124 Report Types