OpenSearch Data Prepper Trusts All SSL Certificates by Default in OpenSearch Sink and Source Plugins

A vulnerability exists in OpenSearch Data Prepper versions prior to 2.12.2, where the OpenSearch sink and source plugins trust all SSL certificates by default when no certificate path is specified. This behavior bypasses SSL certificate validation, leaving connections to OpenSearch clusters vulnerable to man-in-the-middle attacks, where an attacker could intercept and modify data in transit. The issue arises when the 'cert' parameter is not explicitly provided in the OpenSearch sink or source configuration.

Impact

Exploitation of this vulnerability allows for man-in-the-middle attacks, where an attacker can intercept and alter data being transmitted to or from an OpenSearch cluster.

Reproduction

The vulnerability can be reproduced by configuring an OpenSearch sink or source in Data Prepper without specifying a certificate path. When the 'cert' parameter is omitted, the plugins will automatically trust all SSL certificates, creating a vulnerability that can be exploited by intercepting and modifying data in transit.

Remediation

Users can upgrade to OpenSearch Data Prepper version 2.12.2 or later, where this vulnerability has been fixed. If an immediate upgrade is not possible, the 'cert' parameter can be added to the OpenSearch sink or source configuration, specifying the path to the cluster's CA certificate.