Sorry for probable dummy, curious question – While debugging over Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228, CVE-2021-45046 - ESA-2021-31, also visiting list of Elasticsearch Clients Elasticsearch Clients | Elastic – What type of Elasticsearch Client is ReadonlyREST Free?
My bumpy understanding of core technologies said, that ROR is type of Java Rest Client and was surprised, that it is marked as deprecated 7.15 in the Elasticsearch Clients List. Please forgive me, if I follow wrong path.
It’s actually an important question, and I will take the opportunity to explain how ReadonlyREST works in more clearer terms.
The ReadonlyREST plugin for Elasticsearch operates as a middleware in Elasticsearch HTTP request processing pipeline. We have our logic called by Elasticsearch in four moments:
TCP transport - where the SSL layer is implemented
After the HTTP request is parsed
After the request has been transformed into the internal format (i.e. SearchRequest)
At the Lucene shard search level - where field level security and document level security is applied
For performance reasons, we try to reject as many requests as possible in the lowest layers, and only the last bits of access control are delegated to the fourth layer (the most computationally expensive).
Because ROR operates as a middleware in Elasticsearch, it leverages Elasticsearch code infrastructure as a “provided” dependency. That is, when we print a line of log, it eventually calls on whichever Log4J version Elasticsearch provides.
And that’s why in the announcement about CVE-2021-44228/CVE-2021-45056 I wrote that ROR users should focus on updating Elasticsearch.