• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

ElasticSearch Security Advisory: CVE-2015-1427

Xon

Well-known member
#4
Floren's Axivo repo ships with this old version, and is included in the recommended install process for CentOS in the sticky
 

Brent W

Well-known member
#6
Makes me worried using @Floren setup when it can't be updated quickly for security updates. I realize it is free, but still makes me want to go back to official rpms.
 

ManagerJosh

Well-known member
#7
Is that not only a problem for people that have a public IP port for ES?
My understanding is that a well crafted search input would cause this security exploit to trigger. It is irrelevant of whether the IP port is public facing or not because elasticsearch is still executing input from the web.
 

Mike

XenForo developer
Staff member
#8
This particular issue appears to relate to scripts escaping the sandbox. As such, it's very likely that you need direct access to the Elasticsearch server to actually craft the script. This script is used for things like custom scoring. (I suppose if a tool passed user input to the dynamic script and didn't use the variables system then that could be exploited, but that's a pretty bad design.)
 

Mike Edge

Well-known member
#9
From my understanding from reading at both ES's site and stackoverflow, this exploit can only happen if the server port is open to the public and the IP is public. even if the 9200 port is active, if ES is binded only to 127.0.0.1 or an intranet IP like 10.10.6.9 it can not be executed unless you have physical acccess to the server. Having 9200 closed also prevents it being executed by someone having access to the server, like another user.