Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2015.0071 A number of vulnerabilities have been identified in Elasticsearch 17 July 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Elasticsearch Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-5531 CVE-2015-5377 CVE-2015-3253 Member content until: Sunday, August 16 2015 OVERVIEW A number of vulnerabilities have been identified in Elasticsearch prior to versions 1.6.1 and 1.7.0. [1] IMPACT The vendor has provided the following details regarding these issues: "Both Elasticsearch 1.6.1 and 1.7.0 include the following two security fixes: Remote code execution vulnerability Elasticsearch versions prior to 1.6.1 are vulnerable to an engineered attack on its transport protocol (used for communication between nodes and Java clients) that enables remote code execution. This issue is related to the Groovy announcement in CVE-2015-3253. Deployments are vulnerable even when Groovy dynamic scripting is disabled. Users that do not want to upgrade can address the vulnerability by securing the transport protocol port (default 9300) to allow access by only trusted agents. We have been assigned CVE-2015-5377 for this issue. Directory traversal vulnerability Elasticsearch versions from 1.0.0 to 1.6.0 are vulnerable to a directory traversal attack that allows an attacker to retrieve files that are readable by the Elasticsearch JVM process. Users that do not wish to upgrade can use a firewall, reverse proxy, or Shield to prevent Snapshot-Restore API calls from untrusted sources. We have been assigned CVE-2015-5531 for this issue." [1] MITIGATION The vendor recommends updating to a non-affected version as soon as is possible. [1] REFERENCES [1] Elasticsearch 1.7.0 and 1.6.1 released https://www.elastic.co/blog/elasticsearch-1-7-0-and-1-6-1-released AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVahPvn6ZAP0PgtI9AQIppg//fNw0c+c5aeJon/pcpR3BHwguB0nXlayh snnyZkbync/4hQeoX0sWGp2A43AyDoaRu0V58ZzQSIuS5jHL3otFdYxbE0VHR6jk 3G3dNGgjkpaI33msHkyTEoRcThX4C3KWpf4pDjMnV/ENARe7aZwVXSlS7V1l1BVc l2EcaezQI2ogHoa5+r00TBDZJDc9s7K6bgXvtdaYoIn9iAvOw2Tzxf0MaIYkMluw QrhBQckTlZZwypu4fB7GSJxZRbMCivWvW7zCUNqGrGRDoN2121mjKNsh3Jt7juES 9M/N3QcqUrwTvYNWKNHmMF6II/fUt6OeKV+/wcj3zL2aFRvcBE4m9z1Hp7AnVHWZ pyZnopUyVt+/29UBxdzf/NhFLfAmTPkumLZiUYN1sTfD0WUZwzDCtS+HcVXU63sJ wTyU3RyBqNtkDKpDk6LH9pOS3j1UMxkSAJTtBQcX+D8X+Pv6OVkBqmCne09HuwBh Gmc/DtRUTI/ikoj3s9CwYsHezjVd6U5o+Iia0FbPdC2lL6KE+nVEV/9FvNn01TvD /O3p3miZtfxxomYw8CqDmY9hMxSO++VyvanvTJFcIaussDYG3+jVsVavRlbN/Bk8 VKJdh1OK3nEoV17FUdJvcDfaSx/z1XaNMMBkevwfzIrSgQNKaPFW3NZtVbmrNORY d/Kqk3HAOmE= =kQSp -----END PGP SIGNATURE-----