OSTIF and X41-Dsec collaborated with OpenSearch on a security audit on v. 2.8.0 of the open source search engine. As a search engine, this project handles sensitive data and therefore security is of utmost importance to project users, maintainers, and community. The main objective of this security audit was to find vulnerabilities by conducting a code review and performing static code analysis. 

The team at X41 performed manual penetration tests with static code analyzers. Looking specifically for vulnerabilities like local privilege escalation, server-side request forgery, object desterilization, command injection, cross-site scripting and the like. Furthermore, X41 looked at open source search engine ElasticSearch’s known vulnerabilities compared to this project to fix any relevant overlapping findings.

Two low criticality vulnerabilities, as well as six informational findings were reported by this audit. The first low finding, OPNSRCH-PT-23-0, is a limited exploit wherein a function executes a command containing a plugin name without any validation or escaping. This exploit is only feasible if an attacker is able to modify the file containing the list of plugins. The second low finding OPNSRCH-PT-23-02 relates to a download of code without integrity check (CWE 494). The additional findings, while not graded as critically impacting security as is, are recommended to be resolved and fixed so that they do not evolve into more critical vulnerabilities. 

OpenSearch is a well-maintained project with a lively community of contributors. This, as well as its position in the space as a well regarded search engine software suite, has meant that it has undergone multiple audits and security reviews. The findings of this report are consistent with a well-reviewed project, and supports the argument that projects that undergo third-party security audits tend to have fewer issues to remediate and better security testing and posture. Furthermore, users whose livelihoods and private information are increasingly digital experience secure code by default. 

This audit would not have been possible without the hard work of several individuals and teams. Our gratitude to X41-Dsec, specifically Luc Gommans, Markus Vervier, Niklas Able, L. Rudman, and J.M. As well, Babette De Decker and Sofie Seuren. Further grateful acknowledgements to the OpenSearch team at AWS of Daryll Swagger, James McIntyre, and Dave Lago. Without the team’s contributions and AWS funding, this audit would not have been feasible nor successful.

Read the audit report HERE

Read X41-Dsec’s blog about the engagement HERE

Read OpenSearch’s blog about the audit HERE