https://bugzilla.redhat.com/show_bug.cgi?id=1244236
Bug ID: 1244236 Summary: CVE-2015-5377 elasticsearch: unspecified remote code execution vulnerability Product: Security Response Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: vkaigoro@redhat.com CC: bkabrda@redhat.com, bkearney@redhat.com, bobjensen@gmail.com, cbillett@redhat.com, cpelland@redhat.com, cperry@redhat.com, java-sig-commits@lists.fedoraproject.org, jvanek@redhat.com, katello-bugs@redhat.com, kseifried@redhat.com, mmccune@redhat.com, ohadlevy@redhat.com, pbrobinson@gmail.com, tjay@redhat.com, tomckay@redhat.com, zbyszek@in.waw.pl
It was reported that Elasticsearch versions prior to 1.6.1 are vulnerable to an unspecified attack, leading to remote code execution.
Upstream fix is not known at the time of writing.
https://bugzilla.redhat.com/show_bug.cgi?id=1244236
Vasyl Kaigorodov vkaigoro@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1244239
--- Comment #1 from Vasyl Kaigorodov vkaigoro@redhat.com ---
Created elasticsearch tracking bugs for this issue:
Affects: fedora-all [bug 1244239]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1244239 [Bug 1244239] CVE-2015-5377 elasticsearch: unspecified remote code execution vulnerability [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1244236
Vasyl Kaigorodov vkaigoro@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1244240
https://bugzilla.redhat.com/show_bug.cgi?id=1244236
--- Comment #2 from Kurt Seifried kseifried@redhat.com --- Reference:
http://seclists.org/bugtraq/2015/Jul/82
https://bugzilla.redhat.com/show_bug.cgi?id=1244236
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |50716,reported=20150717,sou |50716,reported=20150717,sou |rce=internet,cvss2=6.8/AV:N |rce=internet,cvss2=6.8/AV:N |/AC:M/Au:N/C:P/I:P/A:P,fedo |/AC:M/Au:N/C:P/I:P/A:P,fedo |ra-all/elasticsearch=affect |ra-all/elasticsearch=affect |ed,rhn_satellite_6/elastics |ed,rhn_satellite_6/elastics |earch=affected,sam-1/elasti |earch=wontfix,sam-1/elastic |csearch=affected |search=wontfix
--- Comment #3 from Kurt Seifried kseifried@redhat.com --- Mitigation:
For Satellite 6.x and Sam 1.x you can simply firewall elasticsearch to trusted users only (e.g. root, katello, foreman). For instructions on this please see:
https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.0/html-sin...
https://bugzilla.redhat.com/show_bug.cgi?id=1244236
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|high |low Whiteboard|impact=important,public=201 |impact=important,public=201 |50716,reported=20150717,sou |50716,reported=20150717,sou |rce=internet,cvss2=6.8/AV:N |rce=internet,cvss2=3.3/AV:L |/AC:M/Au:N/C:P/I:P/A:P,fedo |/AC:M/Au:N/C:P/I:P/A:N,fedo |ra-all/elasticsearch=affect |ra-all/elasticsearch=affect |ed,rhn_satellite_6/elastics |ed,rhn_satellite_6/elastics |earch=wontfix,sam-1/elastic |earch=wontfix,sam-1/elastic |search=wontfix |search=wontfix Severity|high |low
--- Comment #4 from Kurt Seifried kseifried@redhat.com --- Updating the severity, for Sam 1.x elasticsearch only listens on localhost, thus local access is required. For Satellite 6.x the installation process should include firewalling it to trusted local users only. As such this only scores 3.3 instead of 5.8 on the CVSS2 scoring.
https://bugzilla.redhat.com/show_bug.cgi?id=1244236
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX Last Closed| |2015-07-20 00:05:43
--- Comment #5 from Kurt Seifried kseifried@redhat.com --- Statement:
This issue affects the versions of elasticsearch as shipped with Red Hat Satellite 6.x and Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
https://bugzilla.redhat.com/show_bug.cgi?id=1244236
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=low,public=20150716, |50716,reported=20150717,sou |reported=20150717,source=in |rce=internet,cvss2=3.3/AV:L |ternet,cvss2=3.3/AV:L/AC:M/ |/AC:M/Au:N/C:P/I:P/A:N,fedo |Au:N/C:P/I:P/A:N,fedora-all |ra-all/elasticsearch=affect |/elasticsearch=affected,rhn |ed,rhn_satellite_6/elastics |_satellite_6/elasticsearch= |earch=wontfix,sam-1/elastic |wontfix,sam-1/elasticsearch |search=wontfix |=wontfix
https://bugzilla.redhat.com/show_bug.cgi?id=1244236 Bug 1244236 depends on bug 1244239, which changed state.
Bug 1244239 Summary: CVE-2015-5377 CVE-2015-5531 elasticsearch: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1244239
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |CURRENTRELEASE
java-sig-commits@lists.fedoraproject.org