[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Elasticsearch vulnerability CVE-2015-3337
From:       Kevin Kluge <kevin () elastic ! co>
Date:       2015-04-27 13:47:22
Message-ID: EE421FD5-158E-4647-825D-4EBC8CE24C47 () elastic ! co
[Download RAW message or body]

Summary:
All Elasticsearch versions prior to 1.5.2 and 1.4.5 are vulnerable to a directory \
traversal attack that allows an attacker to retrieve files from the server running  \
Elasticsearch.  This vulnerability is not present in the initial installation of \
Elasticsearch.  The vulnerability is exposed when a "site plugin" is installed.  \
Elastic's Marvel plugin and many community-sponsored plugins (e.g. Kopf, BigDesk, \
Head) are site plugins.  Elastic Shield, Licensing, Cloud-AWS, Cloud-GCE, \
Cloud-Azure, the analysis plugins, and the river plugins are not site plugins.

We have been assigned CVE-2015-3337 for this issue.


Fixed versions:
Versions 1.5.2 and 1.4.5 have addressed the vulnerability.


Remediation:
Users should upgrade to 1.5.2 or 1.4.5.  This will address the vulnerability and \
preserve site plugin functionality.

Users that do not want to upgrade can address the vulnerability in several ways, but \
                these options will break any site plugin:
- Set "http.disable_sites" to true and restart the Elasticsearch node.
- Use a firewall or proxy to block HTTP requests to /_plugin.
- Uninstall all site plugins from all Elasticsearch nodes.


Credit:
John Heasman of DocuSign reported this issue.


CVSS
Overall CVSS score: 4.3


[prev in list] [next in list] [prev in thread] [next in thread]