https://bugzilla.redhat.com/show_bug.cgi?id=1230761
Bug ID: 1230761 Summary: CVE-2015-4165 elasticsearch: unspecified arbitrary files modification vulnerability Product: Security Response Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: vkaigoro@redhat.com CC: bkabrda@redhat.com, bkearney@redhat.com, bobjensen@gmail.com, cbillett@redhat.com, cpelland@redhat.com, cperry@redhat.com, java-sig-commits@lists.fedoraproject.org, jvanek@redhat.com, katello-bugs@redhat.com, kseifried@redhat.com, mmccune@redhat.com, ohadlevy@redhat.com, pbrobinson@gmail.com, tjay@redhat.com, tomckay@redhat.com, zbyszek@in.waw.pl
All Elasticsearch versions from 1.0.0 to 1.5.2 are vulnerable to an attack that uses Elasticsearch to modify files read and executed by certain other applications. Upstream bug/commit unknown at the time of writing.
Mitigation: =========== Users should upgrade to 1.6.0. Alternately, ensure that other applications are not present on the system, or that Elasticsearch cannot write into areas where these applications would read.
External References:
https://www.elastic.co/community/security/