https://bugzilla.redhat.com/show_bug.cgi?id=1230761
Bug ID: 1230761 Summary: CVE-2015-4165 elasticsearch: unspecified arbitrary files modification vulnerability Product: Security Response Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: vkaigoro@redhat.com CC: bkabrda@redhat.com, bkearney@redhat.com, bobjensen@gmail.com, cbillett@redhat.com, cpelland@redhat.com, cperry@redhat.com, java-sig-commits@lists.fedoraproject.org, jvanek@redhat.com, katello-bugs@redhat.com, kseifried@redhat.com, mmccune@redhat.com, ohadlevy@redhat.com, pbrobinson@gmail.com, tjay@redhat.com, tomckay@redhat.com, zbyszek@in.waw.pl
All Elasticsearch versions from 1.0.0 to 1.5.2 are vulnerable to an attack that uses Elasticsearch to modify files read and executed by certain other applications. Upstream bug/commit unknown at the time of writing.
Mitigation: =========== Users should upgrade to 1.6.0. Alternately, ensure that other applications are not present on the system, or that Elasticsearch cannot write into areas where these applications would read.
External References:
https://www.elastic.co/community/security/
https://bugzilla.redhat.com/show_bug.cgi?id=1230761
Vasyl Kaigorodov vkaigoro@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1230763
https://bugzilla.redhat.com/show_bug.cgi?id=1230761
Vasyl Kaigorodov vkaigoro@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1230765
--- Comment #1 from Vasyl Kaigorodov vkaigoro@redhat.com ---
Created elasticsearch tracking bugs for this issue:
Affects: fedora-all [bug 1230765]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1230765 [Bug 1230765] CVE-2015-4165 elasticsearch: unspecified arbitrary files modification vulnerability [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1230761
--- Comment #2 from Kurt Seifried kseifried@redhat.com --- Additional information:
https://discuss.elastic.co/t/elasticsearch-engineered-attack-vulnerability-c...
Summary: Elasticsearch versions 1.0.0 - 1.5.2 are vulnerable to an engineered attack on other applications on the system. The snapshot API may be used indirectly to place snapshot metadata files into locations that are writeable by the user running the Elasticsearch process. It is possible to create a file that another application could read and take action on, such as code execution.
This vulnerability requires several conditions to be exploited. There must be some other application running on the system that would read Lucene files and execute code from them. That application must also be accessible to the attacker, e.g. over the network. Lastly, the Java VM running the Elasticsearch process must be able to write into a location that the other application will read and potentially execute.
https://bugzilla.redhat.com/show_bug.cgi?id=1230761
--- Comment #3 from Kurt Seifried kseifried@redhat.com --- The upstream issue, pull and commit are:
https://github.com/elastic/elasticsearch/issues/11068
https://github.com/elastic/elasticsearch/pull/11284
https://github.com/imotov/elasticsearch/commit/f5cfb2a1869d1a52930cbd3138278...
https://bugzilla.redhat.com/show_bug.cgi?id=1230761
--- Comment #4 from Kurt Seifried kseifried@redhat.com --- For Satellite 6 the install documents:
https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.0/html-sin...
include firewalling elasticseach so that only the foreman, katello and root users can connect. As such this reduces exposure of elasticsearch significantly.
https://bugzilla.redhat.com/show_bug.cgi?id=1230761
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |50609,reported=20150611,sou |50609,reported=20150611,sou |rce=internet,cvss2=5.8/AV:N |rce=internet,cvss2=5.8/AV:N |/AC:M/Au:N/C:P/I:P/A:N,fedo |/AC:M/Au:N/C:P/I:P/A:N,fedo |ra-all/elasticsearch=affect |ra-all/elasticsearch=affect |ed,rhn_satellite_6/elastics |ed,rhn_satellite_6/elastics |earch=affected,sam-1/elasti |earch=wontfix,sam-1/elastic |csearch=affected |search=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1230761
--- Comment #5 from Kurt Seifried kseifried@redhat.com --- Workaround:
For Satellite 6.x and Sam 1.x you can simply firewall elasticsearch to trusted users only (e.g. root, katello, foreman). For instructions on this please see:
https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.0/html-sin...
https://bugzilla.redhat.com/show_bug.cgi?id=1230761
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |50609,reported=20150611,sou |50609,reported=20150611,sou |rce=internet,cvss2=5.8/AV:N |rce=internet,cvss2=3.3/AV:L |/AC:M/Au:N/C:P/I:P/A:N,fedo |/AC:M/Au:N/C:P/I:P/A:N,fedo |ra-all/elasticsearch=affect |ra-all/elasticsearch=affect |ed,rhn_satellite_6/elastics |ed,rhn_satellite_6/elastics |earch=wontfix,sam-1/elastic |earch=wontfix,sam-1/elastic |search=affected |search=wontfix Severity|high |low
--- Comment #6 from Kurt Seifried kseifried@redhat.com --- Updating the severity, for Sam 1.x elasticsearch only listens on localhost, thus local access is required. For Satellite 6.x the installation process should include firewalling it to trusted local users only. As such this only scores 3.3 instead of 5.8 on the CVSS2 scoring.
https://bugzilla.redhat.com/show_bug.cgi?id=1230761
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|high |low
https://bugzilla.redhat.com/show_bug.cgi?id=1230761
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX Last Closed| |2015-07-13 23:32:03
--- Comment #7 from Kurt Seifried kseifried@redhat.com --- Statement:
This issue affects the versions of elasticsearch as shipped with Red Hat Satellite 6.x and Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
https://bugzilla.redhat.com/show_bug.cgi?id=1230761
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=low,public=20150609, |50609,reported=20150611,sou |reported=20150611,source=in |rce=internet,cvss2=3.3/AV:L |ternet,cvss2=3.3/AV:L/AC:M/ |/AC:M/Au:N/C:P/I:P/A:N,fedo |Au:N/C:P/I:P/A:N,fedora-all |ra-all/elasticsearch=affect |/elasticsearch=affected,rhn |ed,rhn_satellite_6/elastics |_satellite_6/elasticsearch= |earch=wontfix,sam-1/elastic |wontfix,sam-1/elasticsearch |search=wontfix |=wontfix
https://bugzilla.redhat.com/show_bug.cgi?id=1230761 Bug 1230761 depends on bug 1230765, which changed state.
Bug 1230765 Summary: CVE-2015-4165 elasticsearch: unspecified arbitrary files modification vulnerability [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1230765
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |CURRENTRELEASE
java-sig-commits@lists.fedoraproject.org