6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.532 Medium
EPSS
Percentile
97.6%
Elastic reports:
Vulnerability Summary: In Elasticsearch versions 1.1.x and prior,
dynamic scripting is enabled by default. This could allow an
attacker to execute OS commands.
Remediation Summary: Disable dynamic scripting.
Logstash 1.4.2 was bundled with Elasticsearch 1.1.1, which is
vulnerable to CVE-2014-3120. These binaries are used in
Elasticsearch output specifically when using the node protocol.
Since a node client joins the Elasticsearch cluster, the attackers
could use scripts to execute commands on the host OS using the node
client’s URL endpoint. With 1.4.3 release, we are packaging Logstash
with Elasticsearch 1.5.2 binaries which by default disables the
ability to run scripts. This also affects users who are using the
configuration option embedded=>true in the Elasticsearch output
which starts a local embedded Elasticsearch cluster. This is
typically used in development environment and proof of concept
deployments. Regardless of this vulnerability, we strongly recommend
not using embedded in production.
Note that users of transport and http protocol are not vulnerable
to this attack.
bouk.co/blog/elasticsearch-rce/
www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rce
www.elastic.co/blog/elasticsearch-1-2-0-released
www.elastic.co/blog/logstash-1-4-3-released
www.elastic.co/community/security
www.exploit-db.com/exploits/33370/
www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch