CVE-2015-4165
First published: Thu Jun 11 2015(Updated: )
All Elasticsearch versions from 1.0.0 to 1.5.2 are vulnerable to an attack that uses Elasticsearch to modify files read and executed by certain other applications. Upstream bug/commit unknown at the time of writing. Mitigation: =========== Users should upgrade to 1.6.0. Alternately, ensure that other applications are not present on the system, or that Elasticsearch cannot write into areas where these applications would read. External References: <a href="https://www.elastic.co/community/security/">https://www.elastic.co/community/security/</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/Elasticsearch | <1.6.0 | 1.6.0 |
| Elastic Elasticsearch | =1.5.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/132234/Elasticsearch-1.5.2-File-Creation.html
- http://www.securityfocus.com/archive/1/535727/100/0/threaded
- http://www.securityfocus.com/archive/1/536855/100/0/threaded
- http://www.securityfocus.com/bid/75113
- https://bugzilla.redhat.com/show_bug.cgi?id=1230761
- https://www.elastic.co/community/security/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1230765
- https://discuss.elastic.co/t/elasticsearch-engineered-attack-vulnerability-cve-2015-4165/2256
- https://github.com/elastic/elasticsearch/issues/11068
- https://github.com/elastic/elasticsearch/pull/11284
- https://github.com/imotov/elasticsearch/commit/f5cfb2a1869d1a52930cbd3138278a6e2c1b22e6
- https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.0/html-single/Installation_Guide/index.html#sect-Red_Hat_Satellite-Installation_Guide-Red_Hat_Satellite_Installation-Configuring_Red_Hat_Satellite_Manually
- https://access.redhat.com/security/updates/classification/
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2015-4165
- agent/software-canonical-lookup
- agent/weakness
- agent/last-modified-date
- agent/severity
- agent/references
- agent/author
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/elasticsearch
- canonical/elastic elasticsearch
- version/elastic elasticsearch/1.5.2