Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2015.0054 A vulnerability has been identified in Elasticsearch 11 June 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Elasticsearch Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-4165 Member content until: Saturday, July 11 2015 OVERVIEW A vulnerability has been identified in Elasticsearch prior to version 1.6.0. [1] IMPACT The vendor has provided the following details regarding the vulnerability: "Security fix for shared file-system repositories This release includes a change to tighten up the security around the shared file system repositories used by snapshot-restore. Currently, users of Elasticsearch can write a .snapshot file to any directory that is writeable by the Elasticsearch process. The change in #11284 makes it mandatory to specify which directories may be used for the repository. Appropriate directories should be specified in the config/elasticsearch.yml config file, under the path.repo setting. A properly configured Elasticsearch instance is not susceptible to this security issue: Run Elasticsearch as the elasticsearch user, not as root. Ensure that the elasticsearch user only has write permissions on the data directory and whichever directory should be used for the shared file system repository. Use a firewall, proxy, or Shield to prevent snapshot API calls from some or all users We have been assigned CVE-2015-4165 for this issue." [1] "Elasticsearch versions 1.0.0 - 1.5.2 are vulnerable to an engineered attack on other applications on the system. The snapshot API may be used indirectly to place snapshot metadata files into locations that are writeable by the user running the Elasticsearch process. It is possible to create a file that another application could read and take action on, such as code execution. This vulnerability requires several conditions to be exploited. There must be some other application running on the system that would read Lucene files and execute code from them. That application must also be accessible to the attacker, e.g. over the network. Lastly, the Java VM running the Elasticsearch process must be able to write into a location that the other application will read and potentially execute." [2] MITIGATION The vendor recommends updating to the latest version of Elasticsearch. [2] REFERENCES [1] Elasticsearch 1.6.0 released https://www.elastic.co/blog/elasticsearch-1-6-0-released [2] Elasticsearch Engineered Attack Vulnerability CVE-2015-4165 https://discuss.elastic.co/t/elasticsearch-engineered-attack-vulnerability-cve-2015-4165/2256 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVXjgzhLndAQH1ShLAQLftBAAhmZkTSH5PvRATgym76A/PNA50vZzISpj 97cjttG/sMsxly60TSQd3XAo7TOJsaM2n3DR747p+Z3r2BqXPzZaTYU4+/h+Ekfl kGEoJ0u1sFmuB3fWftcWEWJ1NGTgHtVNgcSr3vgZMa0+bmupbQISRj92VZCOFt1s 3aRyRVh8IDBiS75USSInZgpXZNxH2Z3PI/DO06T+765ZwqM8RRwbZFti/FXxEOpN YBgYB0fe2VZqpbV4hgvxAVm/K18mGLK0xtF4a14/XDYIdltVUaod+UVL0c3zsF2m GCLo3IbLFeZ+ZdiZovHb+rIRaXh8bFG2nIGEFTRV/npQbc0StyH5YA6Z+LJY6pUi +YnymebhJoPu/zpQ0xGkxJUyS7TpNzW2E2jVHEo/UJVmtTF0GsN7aJAjvXxGkJAe H/uUdydm34niDWdzGSe6pX7zF7PrTdS/FI3kxPVMR6qqkALFr/aLTIrKZVTyOqmc w/3jnh3i5tXiCSQUrx2XpP8GCZPUutFyNEm0sSC+GoRQCZukBjmCnTV93EzcJGqS iIQNA1tVKF3qr8Qw4ySPt0xDfi9BpKcqvMGvT8ur8oyaRMuvEGDFhfaNQuMJ5FqI 9DE//65tVpIIf84NGXXqoioKtJQFd76sJL7mKRyhq6biwuV59Pp2lt7ENWXe5T1r FazDEuuZ+UU= =1FYL -----END PGP SIGNATURE-----