In the apology we posted last week, we promised you that we’ll come up with a concrete action plan to address our embarrassing miscalculation which left you running an outdated, potentially vulnerable Elasticsearch 5.6 instance to have your daily dose of your favourite Security Incident Response Platform (TheHive, n’est-ce pas ?) and its analysis and orchestration companion (Cortex, what else?).
Well, guess what? We are going to deliver on that promise and we will pay back not only our Elastic debt but also, and as described in our previous post, update the rather old AngularJS version we were using to the latest one.
What Have Been Done so Far on TheHive
We have almost completed TheHive 3.4.0-RC1, the next release candidate of TheHive, which will support ES 6 but also ES 5.6 to give you enough time to migrate before dropping the support of this dead software in the next major version (see below).
AngularJS and its sub projects have been upgraded to 1.7.8, the latest 1.x version as of this writing. Additionally, Grunt build dependencies have also been updated to their latest compatible versions.
What about Cortex?
Cortex 3, which is still a release candidate at this stage, has also been made compatible with ES 6 and 5.6. AngularJS and its sub projects have also been upgraded to 1.7.8.
If you are using Cortex 2, you will need to upgrade to the final release of Cortex 3.0.0 to get ES6 support (or to the next RC if you are a daring soul). Cortex 3 does not introduce breaking changes that would make the upgrade a hair-splitting process and you would still be able to use Cortex 2’s non-dockerized analyzers and configuration. We will provide a step-by-step migration guide in due time.
What is Going to Happen Next?
If we set the oven’s temperature right, TheHive 3.4.0-RC1 and Cortex 3.0.0-RC3 should be at your favourite cyberbakery sometime next week, for free as usual. And of course, we’ll give you a shout out as soon as we hear the ding sound indicating that cooking time is over.
We’ll detail how to taste these fresh pieces of code but to put it simply, a new version of elastic4play will be installed as part of the upgrade process and a migration step will occur. You can start by upgrading ES 5.6 to the latest version of ES 6 then update TheHive and Cortex or do it the other way around. You’ll be in control.
Well, *cough*, since you’ve asked, we feel compelled to answer:
- TheHive and Cortex will use HTTP transport (9200/tcp by default) to connect to Elasticsearch instead of its native binary protocol (9300/tcp by default).
- SSL/TLS, including when using a client certificate, can be configured to connect securely to ES. However this has not been tested yet.
- Support of X-Pack and Search Guard is discontinued for anything but basic and SSL client authentication, which would still work (but we haven’t got around to check that yet).
How Can You Help
Easy! when we’ll tell you it’s time to take TheHive 3.4.0-RC1 and Cortex 3.0.0-RC3 for a spin, please do so and test them as thoroughly as possible. The better you test and report back any issues you encounter, the faster we’ll be able to polish the final releases for production environments.
Now all you gotta do is to sit tight, grab some popcorn and wait for the next episode of Game of Neurones.