Improper TLS Certificate Validation in CISA Thorium Elasticsearch Connection

An attacker who has access to a Thorium cluster can impersonate the Elasticsearch service to Thorium. This can allow interception and manipulation of data exchanged between Thorium and what it believes is Elasticsearch, undermining the confidentiality and integrity of that connection. Depending on deployment and application behavior, successful exploitation could enable unauthorized access to indexed or queried data, injection of falsified responses, disruption of normal cluster operations, or use of the spoofed backend as a pivot for further attacks against the Thorium environment.

Until the fixed version can be deployed, restrict network access so that only the legitimate Elasticsearch service can communicate with Thorium over the relevant channels. Use network segmentation, firewall rules, and service allowlisting to reduce the opportunity for an attacker to position a rogue Elasticsearch endpoint. Monitor for unexpected certificate usage, anomalous Elasticsearch endpoints, or changes in Thorium backend connectivity. If possible in the deployment, enforce certificate pinning or external TLS validation controls to ensure Thorium only connects to trusted Elasticsearch instances.

Upgrade CISA Thorium to version 1.1.2 or later, which fixes the certificate validation flaw in Elasticsearch connections. After upgrading, verify that TLS certificate validation is enabled and functioning correctly for all Thorium-to-Elasticsearch communications, including validation of the certificate chain and expected server identity.