The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.
My understanding is that a well crafted search input would cause this security exploit to trigger. It is irrelevant of whether the IP port is public facing or not because elasticsearch is still executing input from the web.
This particular issue appears to relate to scripts escaping the sandbox. As such, it's very likely that you need direct access to the Elasticsearch server to actually craft the script. This script is used for things like custom scoring. (I suppose if a tool passed user input to the dynamic script and didn't use the variables system then that could be exploited, but that's a pretty bad design.)
From my understanding from reading at both ES's site and stackoverflow, this exploit can only happen if the server port is open to the public and the IP is public. even if the 9200 port is active, if ES is binded only to 127.0.0.1 or an intranet IP like 10.10.6.9 it can not be executed unless you have physical acccess to the server. Having 9200 closed also prevents it being executed by someone having access to the server, like another user.