ElasticSearch 1.4.0/1.4.2 RCE

By
Prathap
Published on
16 Jun 2021
1 min read
Vulnerability

Remote Code Evaluation will result in the entire web application and web server being compromised.It’s worth noting that code evaluation functions are available in almost any programming language.Here RCE is performed over Elastic Search Engine it is a real time distributed and analytical engine developed in java.It is mainly used for single page application projects.Elastic search is based on the Lucene engine, which has a REST gui on top of it.Instead of tables and schemas, it supports full text search, which is mostly document-based.Elasticsearch versions prior to 1.3.8 and 1.4.x versions prior to 1.4.3 are vulnerable to this attack.Remote attackers would break Elasticsearch’s sandbox security by writing a custom script that uses the Groovy scripting language.

IMPACT

It is possible to change certain system files or information, but the attacker has no control over what can be changed, or the scope of what the attacker can affect is restricted.There is a decrease in efficiency or a disruption in the availability of resources also happen after the attack was performed.

Mitigation / Precaution

  • Upgrade to 1.3.8 or 1.4.3 if you haven’t already. If you don’t want to update, change script.groovy.sandbox.enabled to false in elasticsearch.yml and restart the node to fix the vulnerability.

Written by
Prathap
Prathap
Co-founder, Director
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days