It was reported that Elasticsearch versions 1.3.0-1.3.7 and 1.4.0-1.4.2 have vulnerabilities in the Groovy scripting engine. The vulnerability allows an attacker to construct Groovy scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM. Upstream bug report: https://github.com/elasticsearch/elasticsearch/issues/9655 Upstream fixes: 1.3: https://github.com/elasticsearch/elasticsearch/commit/69735b0f4ab9ad7df4b82e8c917589b52cb9978c 1.4: https://github.com/elasticsearch/elasticsearch/commit/4e952b2d75de6ca4caf4b6743462714f3b60d07f 1.x: https://github.com/elasticsearch/elasticsearch/commit/716f0b24dc5414616e8dc0590dbfcfa0081be892 Mitigation: Users can address the vulnerability by setting script.groovy.sandbox.enabled to false in config/elasticsearch.yml and restarting the node.
Upstream announcement of fixed versions 1.3.8 and 1.4.3 which describes the issue: http://www.elasticsearch.org/blog/elasticsearch-1-4-3-and-1-3-8-released/ Those versions address the issue by disallowing the use of Groovy for dynamic scripting rather than fixing the sandbox bypass. The following upstream blog post describes how to use scripts stored in Elasticsearch (indexed script) or on disk: http://www.elasticsearch.org/blog/running-groovy-scripts-without-dynamic-scripting/ This blog post describes how to exploit this issue: https://jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/
This issue has similar impact to CVE-2014-3120 (bug 1124252), adjusting impact rating accordingly.
This issue has been addressed in the following products: Via RHSA-2017:0868 https://access.redhat.com/errata/RHSA-2017:0868
This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2017:0868 https://access.redhat.com/errata/RHSA-2017:0868