1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ElasticSearch Security Advisory: CVE-2015-1427

Discussion in 'Enhanced Search Support' started by ManagerJosh, Mar 9, 2015.

  1. ManagerJosh

    ManagerJosh Well-Known Member

  2. Da Bookie Mon

    Da Bookie Mon Well-Known Member

    This is a bit old, Since then there is also now a 1.4.4 release
  3. ManagerJosh

    ManagerJosh Well-Known Member

    Agreed that it's a bit old, but there apparently are a quite a few webmasters who aren't aware of the security advisory for elasticsearch.
    Xon, RoldanLT, Steve F and 1 other person like this.
  4. Xon

    Xon Well-Known Member

    Floren's Axivo repo ships with this old version, and is included in the recommended install process for CentOS in the sticky
  5. DRaver

    DRaver Active Member

    Is that not only a problem for people that have a public IP port for ES?
  6. Brent W

    Brent W Well-Known Member

    Makes me worried using @Floren setup when it can't be updated quickly for security updates. I realize it is free, but still makes me want to go back to official rpms.
    Xon likes this.
  7. ManagerJosh

    ManagerJosh Well-Known Member

    My understanding is that a well crafted search input would cause this security exploit to trigger. It is irrelevant of whether the IP port is public facing or not because elasticsearch is still executing input from the web.
    Xon likes this.
  8. Mike

    Mike XenForo Developer Staff Member

    This particular issue appears to relate to scripts escaping the sandbox. As such, it's very likely that you need direct access to the Elasticsearch server to actually craft the script. This script is used for things like custom scoring. (I suppose if a tool passed user input to the dynamic script and didn't use the variables system then that could be exploited, but that's a pretty bad design.)
  9. Da Bookie Mon

    Da Bookie Mon Well-Known Member

    From my understanding from reading at both ES's site and stackoverflow, this exploit can only happen if the server port is open to the public and the IP is public. even if the 9200 port is active, if ES is binded only to or an intranet IP like it can not be executed unless you have physical acccess to the server. Having 9200 closed also prevents it being executed by someone having access to the server, like another user.
  10. Floren

    Floren Well-Known Member

    There is no need to close port 9200:
    [root@chronos ~]# ss -aln |grep 9200
    LISTEN     0      50         ::ffff:                    :::*

Share This Page