[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Elasticsearch vulnerability CVE-2015-4165
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Elasticsearch vulnerability CVE-2015-4165
- From: Kevin Kluge <kevin@xxxxxxxxxx>
- Date: Tue, 9 Jun 2015 14:39:33 -0700
Summary:
Elasticsearch versions 1.0.0 - 1.5.2 are vulnerable to an engineered attack on
other applications on the system. The snapshot API may be used indirectly to
place snapshot metadata files into locations that are writeable by the user
running the Elasticsearch process. It is possible to create a file that
another application could read and take action on, such as code execution.
This vulnerability requires several conditions to be exploited. There must be
some other application running on the system that would read Lucene files and
execute code from them. That application must also be accessible to the
attacker, e.g. over the network. Lastly, the Java VM running the Elasticsearch
process must be able to write into a location that the other application will
read and potentially execute.
We have been assigned CVE-2015-4165 for this issue.
Fixed versions:
Version 1.6.0 address the vulnerability by adding configuration to limit the
filesystem paths that the Java VM can write into.
Remediation:
Users should upgrade to the 1.6.0 release.
Users that do not want to upgrade can address the vulnerability in any of
several ways:
- ensure that there are no other applications running on the Elasticsearch
server
- ensure that the Elasticsearch JVM cannot write a directory that other
applications read from
- use a firewall, reverse proxy, or Shield to prevent snapshot API calls from
some or all users
- ensure that other applications running on the server are not accessible to
attackers
CVSS
Overall CVSS score: 5.1