-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2015.0071
     A number of vulnerabilities have been identified in Elasticsearch
                               17 July 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Elasticsearch
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Unauthorised Access             -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2015-5531 CVE-2015-5377 CVE-2015-3253
Member content until: Sunday, August 16 2015

OVERVIEW

        A number of vulnerabilities have been identified in Elasticsearch
        prior to versions 1.6.1 and 1.7.0. [1]


IMPACT

        The vendor has provided the following details regarding these 
        issues:
        
        "Both Elasticsearch 1.6.1 and 1.7.0 include the following two 
        security fixes:
        
        Remote code execution vulnerability
        
        Elasticsearch versions prior to 1.6.1 are vulnerable to an 
        engineered attack on its transport protocol (used for communication
        between nodes and Java clients) that enables remote code execution.
        This issue is related to the Groovy announcement in CVE-2015-3253.
        
        Deployments are vulnerable even when Groovy dynamic scripting is 
        disabled. Users that do not want to upgrade can address the 
        vulnerability by securing the transport protocol port (default 9300)
        to allow access by only trusted agents.
        
        We have been assigned CVE-2015-5377 for this issue.
        
        Directory traversal vulnerability
        
        Elasticsearch versions from 1.0.0 to 1.6.0 are vulnerable to a 
        directory traversal attack that allows an attacker to retrieve files
        that are readable by the Elasticsearch JVM process. Users that do 
        not wish to upgrade can use a firewall, reverse proxy, or Shield to
        prevent Snapshot-Restore API calls from untrusted sources.
        
        We have been assigned CVE-2015-5531 for this issue." [1]


MITIGATION

        The vendor recommends updating to a non-affected version as soon
        as is possible. [1]


REFERENCES

        [1] Elasticsearch 1.7.0 and 1.6.1 released
            https://www.elastic.co/blog/elasticsearch-1-7-0-and-1-6-1-released

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVahPvn6ZAP0PgtI9AQIppg//fNw0c+c5aeJon/pcpR3BHwguB0nXlayh
snnyZkbync/4hQeoX0sWGp2A43AyDoaRu0V58ZzQSIuS5jHL3otFdYxbE0VHR6jk
3G3dNGgjkpaI33msHkyTEoRcThX4C3KWpf4pDjMnV/ENARe7aZwVXSlS7V1l1BVc
l2EcaezQI2ogHoa5+r00TBDZJDc9s7K6bgXvtdaYoIn9iAvOw2Tzxf0MaIYkMluw
QrhBQckTlZZwypu4fB7GSJxZRbMCivWvW7zCUNqGrGRDoN2121mjKNsh3Jt7juES
9M/N3QcqUrwTvYNWKNHmMF6II/fUt6OeKV+/wcj3zL2aFRvcBE4m9z1Hp7AnVHWZ
pyZnopUyVt+/29UBxdzf/NhFLfAmTPkumLZiUYN1sTfD0WUZwzDCtS+HcVXU63sJ
wTyU3RyBqNtkDKpDk6LH9pOS3j1UMxkSAJTtBQcX+D8X+Pv6OVkBqmCne09HuwBh
Gmc/DtRUTI/ikoj3s9CwYsHezjVd6U5o+Iia0FbPdC2lL6KE+nVEV/9FvNn01TvD
/O3p3miZtfxxomYw8CqDmY9hMxSO++VyvanvTJFcIaussDYG3+jVsVavRlbN/Bk8
VKJdh1OK3nEoV17FUdJvcDfaSx/z1XaNMMBkevwfzIrSgQNKaPFW3NZtVbmrNORY
d/Kqk3HAOmE=
=kQSp
-----END PGP SIGNATURE-----