1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is Elasticsearch 1.5.2 safe to use?

Discussion in 'Enhanced Search Support' started by kontrabass, Aug 1, 2015.

  1. kontrabass

    kontrabass Well-Known Member

    Does anyone have any information on whether version 1.5.2 of Elasticsearch has (or needs) the security fixes from 1.6.1? From the ES blog:

    Elasticsearch versions prior to 1.6.1 are vulnerable to an engineered attack on its transport protocol (used for communication between nodes and Java clients) that enables remote code execution. This issue is related to the Groovy announcement in CVE-2015-3253.

    Deployments are vulnerable even when Groovy dynamic scripting is disabled. Users that do not want to upgrade can address the vulnerability by securing the transport protocol port (default9300) to allow access by only trusted agents.
    Elasticsearch versions from 1.0.0 to 1.6.0 are vulnerable to a directory traversal attack that allows an attacker to retrieve files that are readable by the Elasticsearch JVM process. Users that do not wish to upgrade can use a firewall, reverse proxy, or Shield to prevent Snapshot-RestoreAPI calls from untrusted sources.

    We are using @Floren 's Axivo repository RPM which IIRC is based on 1.5.2 as of this post.
  2. Xon

    Xon Well-Known Member

    It is strongly recommended to not have elastic search accessible from the internet (ie firewalled off).

    I use the official repository's so I can ensure I stay up-to-date since Elastic Search has an aggressive update schedule.
    MattW and kontrabass like this.
  3. kontrabass

    kontrabass Well-Known Member

    Just switched to the official repo, was super easy following instructions Repositories

    Updated to 1.6.2 no problem.

    Yes, we have it bound to local IP :)

  4. Xon

    Xon Well-Known Member

    You might as well update to 1.7.1 while you are at it :p

Share This Page