-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2015.0054
           A vulnerability has been identified in Elasticsearch
                               11 June 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Elasticsearch
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2015-4165  
Member content until: Saturday, July 11 2015

OVERVIEW

        A vulnerability has been identified in Elasticsearch prior to version
        1.6.0. [1]


IMPACT

        The vendor has provided the following details regarding the 
        vulnerability:
        
        "Security fix for shared file-system repositories
        
        This release includes a change to tighten up the security around the
        shared file system repositories used by snapshot-restore. Currently,
        users of Elasticsearch can write a .snapshot file to any directory 
        that is writeable by the Elasticsearch process. The change in #11284
        makes it mandatory to specify which directories may be used for the
        repository. Appropriate directories should be specified in the 
        config/elasticsearch.yml config file, under the path.repo setting.
        
        A properly configured Elasticsearch instance is not susceptible to 
        this security issue:
        
        Run Elasticsearch as the elasticsearch user, not as root. Ensure 
        that the elasticsearch user only has write permissions on the data 
        directory and whichever directory should be used for the shared file
        system repository. Use a firewall, proxy, or Shield to prevent 
        snapshot API calls from some or all users
        
        We have been assigned CVE-2015-4165 for this issue." [1]
        
        "Elasticsearch versions 1.0.0 - 1.5.2 are vulnerable to an 
        engineered attack on other applications on the system. The snapshot
        API may be used indirectly to place snapshot metadata files into 
        locations that are writeable by the user running the Elasticsearch 
        process. It is possible to create a file that another application 
        could read and take action on, such as code execution.
        
        This vulnerability requires several conditions to be exploited. 
        There must be some other application running on the system that 
        would read Lucene files and execute code from them. That application
        must also be accessible to the attacker, e.g. over the network. 
        Lastly, the Java VM running the Elasticsearch process must be able 
        to write into a location that the other application will read and 
        potentially execute." [2]


MITIGATION

        The vendor recommends updating to the latest version of 
        Elasticsearch. [2]


REFERENCES

        [1] Elasticsearch 1.6.0 released
            https://www.elastic.co/blog/elasticsearch-1-6-0-released

        [2] Elasticsearch Engineered Attack Vulnerability CVE-2015-4165
            https://discuss.elastic.co/t/elasticsearch-engineered-attack-vulnerability-cve-2015-4165/2256

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVXjgzhLndAQH1ShLAQLftBAAhmZkTSH5PvRATgym76A/PNA50vZzISpj
97cjttG/sMsxly60TSQd3XAo7TOJsaM2n3DR747p+Z3r2BqXPzZaTYU4+/h+Ekfl
kGEoJ0u1sFmuB3fWftcWEWJ1NGTgHtVNgcSr3vgZMa0+bmupbQISRj92VZCOFt1s
3aRyRVh8IDBiS75USSInZgpXZNxH2Z3PI/DO06T+765ZwqM8RRwbZFti/FXxEOpN
YBgYB0fe2VZqpbV4hgvxAVm/K18mGLK0xtF4a14/XDYIdltVUaod+UVL0c3zsF2m
GCLo3IbLFeZ+ZdiZovHb+rIRaXh8bFG2nIGEFTRV/npQbc0StyH5YA6Z+LJY6pUi
+YnymebhJoPu/zpQ0xGkxJUyS7TpNzW2E2jVHEo/UJVmtTF0GsN7aJAjvXxGkJAe
H/uUdydm34niDWdzGSe6pX7zF7PrTdS/FI3kxPVMR6qqkALFr/aLTIrKZVTyOqmc
w/3jnh3i5tXiCSQUrx2XpP8GCZPUutFyNEm0sSC+GoRQCZukBjmCnTV93EzcJGqS
iIQNA1tVKF3qr8Qw4ySPt0xDfi9BpKcqvMGvT8ur8oyaRMuvEGDFhfaNQuMJ5FqI
9DE//65tVpIIf84NGXXqoioKtJQFd76sJL7mKRyhq6biwuV59Pp2lt7ENWXe5T1r
FazDEuuZ+UU=
=1FYL
-----END PGP SIGNATURE-----