AWS Elasticsearch domain endpoints should not use a deprecated version of SSL/TLS
| Severity | Exploitability | Providers | Categories |
|---|---|---|---|
| HIGH | LOW | AWS | NETWORK |
Description
Amazon Elasticsearch is a fully open-source search and analytics engine for use cases such as log analytics, real-time application monitoring, and clickstream analysis.
Outdated TLS policies (version 1.0 and 1.1) rely on insecure cipher suites (SHA-1 and MD5), and are subject to a range of well known attacks. Note that TLS 1.0 and 1.1 have been deprecated on March 25, 2021.
Allowing such policies can allow attackers to break the encryption, decrypt the traffic, and perform man-in-the-middle attacks.
Impact
| Potential data exposure | Visible in logs | User interaction required | Privileges required |
|---|---|---|---|
| True | False | True | False |
Known vulnerabilities could be exploited with man-in-the-middle attacks and lead to data and credential leakage.
Remediation guidelines
Choose TLS 1.2 or higher as the TLS security policy for the ElasticSearch domain endpoint configuration.
References
Was this page helpful?
