Bug 1191969 (CVE-2015-1427)

Summary: CVE-2015-1427 elasticsearch: remote code execution via Groovy sandbox bypass
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: atangrin, bkearney, bleanhar, cbillett, ccoleman, chazlett, cpelland, dmcphers, hghasemb, jdetiber, jialiu, jkeck, jokerman, katello-bugs, kseifried, lmeyer, mmccomas, mmccune, tjay, tomckay, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Elasticsearch 1.3.8, Elasticsearch 1.4.3 Doc Type: Bug Fix
Doc Text:
It was reported that Elasticsearch versions 1.3.0-1.3.7 and 1.4.0-1.4.2 have vulnerabilities in the Groovy scripting engine. The vulnerability allows an attacker to construct Groovy scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-12 18:00:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1191970    

Description Vasyl Kaigorodov 2015-02-12 10:12:23 UTC 
It was reported that Elasticsearch versions 1.3.0-1.3.7 and 1.4.0-1.4.2 have vulnerabilities in the Groovy scripting engine. The vulnerability allows an attacker to construct Groovy scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM.

Upstream bug report:
https://github.com/elasticsearch/elasticsearch/issues/9655

Upstream fixes:
1.3: https://github.com/elasticsearch/elasticsearch/commit/69735b0f4ab9ad7df4b82e8c917589b52cb9978c
1.4: https://github.com/elasticsearch/elasticsearch/commit/4e952b2d75de6ca4caf4b6743462714f3b60d07f
1.x: https://github.com/elasticsearch/elasticsearch/commit/716f0b24dc5414616e8dc0590dbfcfa0081be892

Mitigation:
Users can address the vulnerability by setting script.groovy.sandbox.enabled to false in config/elasticsearch.yml and restarting the node.
Comment 1 Tomas Hoger 2015-03-10 14:13:15 UTC 
Upstream announcement of fixed versions 1.3.8 and 1.4.3 which describes the issue:
http://www.elasticsearch.org/blog/elasticsearch-1-4-3-and-1-3-8-released/

Those versions address the issue by disallowing the use of Groovy for dynamic scripting rather than fixing the sandbox bypass.  The following upstream blog post describes how to use scripts stored in Elasticsearch (indexed script) or on disk:
http://www.elasticsearch.org/blog/running-groovy-scripts-without-dynamic-scripting/

This blog post describes how to exploit this issue:
https://jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/
Comment 2 Tomas Hoger 2015-03-10 14:19:02 UTC 
This issue has similar impact to CVE-2014-3120 (bug 1124252), adjusting impact rating accordingly.
Comment 4 errata-xmlrpc 2017-04-03 21:02:56 UTC 
This issue has been addressed in the following products:



Via RHSA-2017:0868 https://access.redhat.com/errata/RHSA-2017:0868
Comment 6 errata-xmlrpc 2018-07-02 15:51:31 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2017:0868 https://access.redhat.com/errata/RHSA-2017:0868