FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

elasticsearch and logstash -- remote OS command execution via dynamic scripting

Affected packages
elasticsearch < 1.2.0
logstash < 1.4.3

Details

VuXML ID 43ac9d42-1b9a-11e5-b43d-002590263bf5
Discovery 2014-05-22
Entry 2015-06-26

Elastic reports:

Vulnerability Summary: In Elasticsearch versions 1.1.x and prior, dynamic scripting is enabled by default. This could allow an attacker to execute OS commands.

Remediation Summary: Disable dynamic scripting.

Logstash 1.4.2 was bundled with Elasticsearch 1.1.1, which is vulnerable to CVE-2014-3120. These binaries are used in Elasticsearch output specifically when using the node protocol. Since a node client joins the Elasticsearch cluster, the attackers could use scripts to execute commands on the host OS using the node client's URL endpoint. With 1.4.3 release, we are packaging Logstash with Elasticsearch 1.5.2 binaries which by default disables the ability to run scripts. This also affects users who are using the configuration option embedded=>true in the Elasticsearch output which starts a local embedded Elasticsearch cluster. This is typically used in development environment and proof of concept deployments. Regardless of this vulnerability, we strongly recommend not using embedded in production.

Note that users of transport and http protocol are not vulnerable to this attack.

References

Bugtraq ID 67731
CVE Name CVE-2014-3120
URL http://bouk.co/blog/elasticsearch-rce/
URL http://www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rce
URL https://www.elastic.co/blog/elasticsearch-1-2-0-released
URL https://www.elastic.co/blog/logstash-1-4-3-released
URL https://www.elastic.co/community/security
URL https://www.exploit-db.com/exploits/33370/
URL https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch