Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 539884 (CVE-2015-1427) - <app-misc/elasticsearch-1.4.4: remote code execution using Groovy scripts (CVE-2015-1427)
Summary: <app-misc/elasticsearch-1.4.4: remote code execution using Groovy scripts (CV...
Status: RESOLVED FIXED
Alias: CVE-2015-1427
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: ~2 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-02-12 17:11 UTC by Agostino Sarubbo
Modified: 2015-06-15 00:39 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-02-12 17:11:30 UTC 
From ${URL} :

It was reported [1] that Elasticsearch versions 1.3.0-1.3.7 and 1.4.0-1.4.2 have vulnerabilities in the Groovy scripting engine. The vulnerability allows an attacker to construct Groovy scripts that escape the sandbox and execute shell commands as the user 
running the Elasticsearch Java VM.

Mitigation:

Users can address the vulnerability by setting script.groovy.sandbox.enabled to false in config/elasticsearch.yml and restarting the node.

Upstream fixes:
1.3: https://github.com/elasticsearch/elasticsearch/commit/69735b0f4ab9ad7df4b82e8c917589b52cb9978c
1.4: https://github.com/elasticsearch/elasticsearch/commit/4e952b2d75de6ca4caf4b6743462714f3b60d07f
1.x: https://github.com/elasticsearch/elasticsearch/commit/716f0b24dc5414616e8dc0590dbfcfa0081be892

[1]: https://github.com/elasticsearch/elasticsearch/issues/9655


@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Tomáš Mózes 2015-02-17 07:29:39 UTC 
Releases 1.4.3 and 1.3.8 are out fixing this issue:
http://www.elasticsearch.org/blog/elasticsearch-1-4-3-and-1-3-8-released/
Comment 2 Ferenc Erki 2015-03-02 22:50:43 UTC 
Ebuilds for elasticsearch versions 1.3.8, 1.4.3, 1.3.9, and 1.4.4 are available in our recently opensourced overlay: https://github.com/adjust/gentoo-overlay/tree/master/app-misc/elasticsearch

Let me know if you prefer adding them as attachment.
Comment 3 Ferenc Erki 2015-03-23 10:03:01 UTC 
Are there anything I can help with to get our ebuilds mentioned above into the tree?
Comment 4 Tony Vroon (RETIRED) gentoo-dev 2015-03-23 10:55:12 UTC 
A security bug is not the correct place for this. The 1.4.4 secure version is already in the tree so I will simply prune older ebuilds now.
Comment 5 Tony Vroon (RETIRED) gentoo-dev 2015-03-23 11:44:01 UTC 
+  23 Mar 2015; Tony Vroon <chainsaw@gentoo.org> -elasticsearch-1.3.2-r2.ebuild,
+  -elasticsearch-1.4.0.ebuild, -elasticsearch-1.4.2.ebuild:
+  Remove vulnerable ebuilds for security bug #539884.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2015-06-15 00:39:11 UTC 
CVE-2015-1427 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1427):
  The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before
  1.4.3 allows remote attackers to bypass the sandbox protection mechanism and
  execute arbitrary shell commands via a crafted script.