Bug 1244236 (CVE-2015-5377)

Summary: CVE-2015-5377 elasticsearch: unspecified remote code execution vulnerability
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bkabrda, bkearney, bobjensen, cbillett, cpelland, cperry, java-sig-commits, jvanek, katello-bugs, kseifried, mmccune, ohadlevy, pbrobinson, tjay, tomckay, zbyszek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Elasticsearch 1.6.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-20 04:05:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1244239    
Bug Blocks: 1244240    

Description Vasyl Kaigorodov 2015-07-17 14:18:03 UTC 
It was reported that Elasticsearch versions prior to 1.6.1 are vulnerable to an unspecified attack, leading to remote code execution.

Upstream fix is not known at the time of writing.
Comment 1 Vasyl Kaigorodov 2015-07-17 14:22:36 UTC 
Created elasticsearch tracking bugs for this issue:

Affects: fedora-all [bug 1244239]
Comment 2 Kurt Seifried 2015-07-20 04:01:58 UTC 
Reference:

http://seclists.org/bugtraq/2015/Jul/82
Comment 3 Kurt Seifried 2015-07-20 04:03:43 UTC 
Mitigation:

For Satellite 6.x and Sam 1.x you can simply firewall elasticsearch to trusted users only (e.g. root, katello, foreman). For instructions on this please see:

https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.0/html-single/Installation_Guide/index.html#sect-Red_Hat_Satellite-Installation_Guide-Red_Hat_Satellite_Installation-Configuring_Red_Hat_Satellite_Manually
Comment 4 Kurt Seifried 2015-07-20 04:05:24 UTC 
Updating the severity, for Sam 1.x elasticsearch only listens on localhost, thus local access is required. For Satellite 6.x the installation process should include firewalling it to trusted local users only. As such this only scores 3.3 instead of 5.8 on the CVSS2 scoring.
Comment 5 Kurt Seifried 2015-07-20 04:05:43 UTC 
Statement:

This issue affects the versions of elasticsearch as shipped with Red Hat Satellite 6.x and Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.