Bug 1230761 (CVE-2015-4165) - CVE-2015-4165 elasticsearch: unspecified arbitrary files modification vulnerability
Summary: CVE-2015-4165 elasticsearch: unspecified arbitrary files modification vulnera...
Alias: CVE-2015-4165
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1230765
Blocks: 1230763
TreeView+ depends on / blocked
Reported: 2015-06-11 13:46 UTC by Vasyl Kaigorodov
Modified: 2021-02-17 05:13 UTC (History)
16 users (show)

Fixed In Version: Elasticsearch 1.6.0
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-07-14 03:32:03 UTC

Attachments (Terms of Use)

Description Vasyl Kaigorodov 2015-06-11 13:46:36 UTC
All Elasticsearch versions from 1.0.0 to 1.5.2 are vulnerable to an attack that uses Elasticsearch to modify files read and executed by certain other applications.
Upstream bug/commit unknown at the time of writing.

Users should upgrade to 1.6.0. Alternately, ensure that other applications are not present on the system, or that Elasticsearch cannot write into areas where these applications would read.

External References:


Comment 1 Vasyl Kaigorodov 2015-06-11 13:48:02 UTC
Created elasticsearch tracking bugs for this issue:

Affects: fedora-all [bug 1230765]

Comment 2 Kurt Seifried 2015-07-10 17:25:00 UTC
Additional information:


Elasticsearch versions 1.0.0 - 1.5.2 are vulnerable to an engineered attack on other applications on the system. The snapshot API may be used indirectly to place snapshot metadata files into locations that are writeable by the user running the Elasticsearch process. It is possible to create a file that another application could read and take action on, such as code execution.

This vulnerability requires several conditions to be exploited. There must be some other application running on the system that would read Lucene files and execute code from them. That application must also be accessible to the attacker, e.g. over the network. Lastly, the Java VM running the Elasticsearch process must be able to write into a location that the other application will read and potentially execute.

Comment 4 Kurt Seifried 2015-07-11 00:19:50 UTC
For Satellite 6 the install documents:


include firewalling elasticseach so that only the foreman, katello and root users can connect. As such this reduces exposure of elasticsearch significantly.

Comment 5 Kurt Seifried 2015-07-14 03:21:33 UTC

For Satellite 6.x and Sam 1.x you can simply firewall elasticsearch to trusted users only (e.g. root, katello, foreman). For instructions on this please see:


Comment 6 Kurt Seifried 2015-07-14 03:30:30 UTC
Updating the severity, for Sam 1.x elasticsearch only listens on localhost, thus local access is required. For Satellite 6.x the installation process should include firewalling it to trusted local users only. As such this only scores 3.3 instead of 5.8 on the CVSS2 scoring.

Comment 7 Kurt Seifried 2015-07-14 03:32:03 UTC

This issue affects the versions of elasticsearch as shipped with Red Hat Satellite 6.x and Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.