Keywords: Elasticsearch - Google Cloud Platform - Technical issue - Credentials
I have two virtual machines both running Elasticsearch. The first runs 6.3.1-0 and in the “Application Info” panel has “Credentials” (username and password) needed to connect to Elasticsearch. Without those I can’t connect (which is as it should be).
The second runs version 7.9.1-0, and also has a panel labelled “Credentials”, but I don’t need these to connect to the server. Hence it is open to anyone and can (and has) been hit by “meow” attacks.
I’m puzzled by this change in behaviour, and why the credentials Bitnami shows are not actually needed. Why make the server instantly vulnerable to a well known attack?