ElasticSearch Security Advisory: CVE-2015-1427


Well-known member
Floren's Axivo repo ships with this old version, and is included in the recommended install process for CentOS in the sticky

Brent W

Well-known member
Makes me worried using @Floren setup when it can't be updated quickly for security updates. I realize it is free, but still makes me want to go back to official rpms.


Well-known member
Is that not only a problem for people that have a public IP port for ES?
My understanding is that a well crafted search input would cause this security exploit to trigger. It is irrelevant of whether the IP port is public facing or not because elasticsearch is still executing input from the web.


XenForo developer
Staff member
This particular issue appears to relate to scripts escaping the sandbox. As such, it's very likely that you need direct access to the Elasticsearch server to actually craft the script. This script is used for things like custom scoring. (I suppose if a tool passed user input to the dynamic script and didn't use the variables system then that could be exploited, but that's a pretty bad design.)

Mike Edge

Well-known member
From my understanding from reading at both ES's site and stackoverflow, this exploit can only happen if the server port is open to the public and the IP is public. even if the 9200 port is active, if ES is binded only to or an intranet IP like it can not be executed unless you have physical acccess to the server. Having 9200 closed also prevents it being executed by someone having access to the server, like another user.