Bug 1230761 (CVE-2015-4165)
| Summary: | CVE-2015-4165 elasticsearch: unspecified arbitrary files modification vulnerability | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | bkabrda, bkearney, bobjensen, cbillett, cpelland, cperry, java-sig-commits, jvanek, katello-bugs, kseifried, mmccune, ohadlevy, pbrobinson, tjay, tomckay, zbyszek |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Elasticsearch 1.6.0 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-07-14 03:32:03 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1230765 | ||
| Bug Blocks: | 1230763 | ||
|
Description
Vasyl Kaigorodov
2015-06-11 13:46:36 UTC
Created elasticsearch tracking bugs for this issue: Affects: fedora-all [bug 1230765] Additional information: https://discuss.elastic.co/t/elasticsearch-engineered-attack-vulnerability-cve-2015-4165/2256 Summary: Elasticsearch versions 1.0.0 - 1.5.2 are vulnerable to an engineered attack on other applications on the system. The snapshot API may be used indirectly to place snapshot metadata files into locations that are writeable by the user running the Elasticsearch process. It is possible to create a file that another application could read and take action on, such as code execution. This vulnerability requires several conditions to be exploited. There must be some other application running on the system that would read Lucene files and execute code from them. That application must also be accessible to the attacker, e.g. over the network. Lastly, the Java VM running the Elasticsearch process must be able to write into a location that the other application will read and potentially execute. The upstream issue, pull and commit are: https://github.com/elastic/elasticsearch/issues/11068 https://github.com/elastic/elasticsearch/pull/11284 https://github.com/imotov/elasticsearch/commit/f5cfb2a1869d1a52930cbd3138278a6e2c1b22e6 For Satellite 6 the install documents: https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.0/html-single/Installation_Guide/index.html#sect-Red_Hat_Satellite-Installation_Guide-Red_Hat_Satellite_Installation-Configuring_Red_Hat_Satellite_Manually include firewalling elasticseach so that only the foreman, katello and root users can connect. As such this reduces exposure of elasticsearch significantly. Mitigation: For Satellite 6.x and Sam 1.x you can simply firewall elasticsearch to trusted users only (e.g. root, katello, foreman). For instructions on this please see: https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.0/html-single/Installation_Guide/index.html#sect-Red_Hat_Satellite-Installation_Guide-Red_Hat_Satellite_Installation-Configuring_Red_Hat_Satellite_Manually Updating the severity, for Sam 1.x elasticsearch only listens on localhost, thus local access is required. For Satellite 6.x the installation process should include firewalling it to trusted local users only. As such this only scores 3.3 instead of 5.8 on the CVSS2 scoring. Statement: This issue affects the versions of elasticsearch as shipped with Red Hat Satellite 6.x and Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. |