ElasticSearch Security Advisory: CVE-2015-1427

[ManagerJosh]

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1427
http://www.elasticsearch.com/blog/elasticsearch-1-4-3-1-3-8-released/

 

[Mike Edge]

This is a bit old, Since then there is also now a 1.4.4 release

 

[ManagerJosh]

Agreed that it's a bit old, but there apparently are a quite a few webmasters who aren't aware of the security advisory for elasticsearch.

 

[Xon]

Floren's Axivo repo ships with this old version, and is included in the recommended install process for CentOS in the sticky

 

[DRaver]

Is that not only a problem for people that have a public IP port for ES?

 

[Brent W]

Makes me worried using @Floren setup when it can't be updated quickly for security updates. I realize it is free, but still makes me want to go back to official rpms.

 

[ManagerJosh]

Is that not only a problem for people that have a public IP port for ES?

My understanding is that a well crafted search input would cause this security exploit to trigger. It is irrelevant of whether the IP port is public facing or not because elasticsearch is still executing input from the web.

 

[Mike]

This particular issue appears to relate to scripts escaping the sandbox. As such, it's very likely that you need direct access to the Elasticsearch server to actually craft the script. This script is used for things like custom scoring. (I suppose if a tool passed user input to the dynamic script and didn't use the variables system then that could be exploited, but that's a pretty bad design.)

 

[Mike Edge]

From my understanding from reading at both ES's site and stackoverflow, this exploit can only happen if the server port is open to the public and the IP is public. even if the 9200 port is active, if ES is binded only to 127.0.0.1 or an intranet IP like 10.10.6.9 it can not be executed unless you have physical acccess to the server. Having 9200 closed also prevents it being executed by someone having access to the server, like another user.

 

[Floren]

Having 9200 closed also prevents it being executed by someone having access to the server, like another user.

There is no need to close port 9200:

[root@chronos ~]# ss -aln |grep 9200
LISTEN     0      50         ::ffff:127.0.0.1:9200                    :::*