Disable dynamic Groovy scripting by marking Groovy as not sandboxed

[clintongormley]

Elasticsearch versions 1.3.0-1.3.7 and 1.4.0-1.4.2 have vulnerabilities in the Groovy scripting engine. The vulnerability allows an attacker to construct Groovy scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM.

We have been assigned CVE-2015-1427 for this issue.

Versions 1.3.8 and 1.4.3 disable sandboxing for Groovy by default. As a consequence, dynamic script execution is disabled for Groovy. In other words, inline Groovy scripts will not be accepted as part of a request, and will not be retrieved from the .scripts index. Groovy scripts can still be used if they are stored in files in the config/scripts directory.

Users should upgrade to 1.3.8 or 1.4.3. Users that do not want to upgrade can address the vulnerability by setting script.groovy.sandbox.enabled to false in config/elasticsearch.yml and restarting the node.

Groovy dynamic scripting disabled in:

• 1.3: 69735b0
• 1.4: 4e952b2
• 1.x: 716f0b2
• master: 764fda6

[bjm88]

We had this security issue exploited against our UAT/test AWS instance. Production ES cluster is behind firewall, but UAT/test env was not. I suspect a scanning of port 9200 for ES is how we were identified. In elastic search logs we saw the below, you see the use groovy script to get java Runtime and do exec. In our case they put a udp bot in our /tmp folder likely to launch udp port 80 DOS attacks.

org.elasticsearch.search.SearchParseException: [caredox_demo_medications][4]: from[-1],size[1]: Parse Failure [Failed to parse source [{"size":1,"script_fields":{"exp":{"script":"java.lang.Math.class.forName("java.io.BufferedReader").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName("java.io.InputStreamReader").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName("java.lang.Runtime").getRuntime().exec("chmod 777 /tmp/bvxz.fp").getInputStream())).readLines()","lang": "groovy"}}}]]

[jiamo]

elasticsearch-1.7.2 set script.disable_dynamic: false. The tool from https://github.com/Svti/ElasticSearchEXP still can success exec command.

[dakrone]

elasticsearch-1.7.2 set script.disable_dynamic: false. The tool from
https://github.com/Svti/ElasticSearchEXP still can success exec
command.

This is if you enable dynamic scripting (which is off by default). If
you enable dynamic scripting you will need to protect Elasticsearch by
other means (binding to localhost only, or using a firewall).

[jiamo]

Can elastisseach scripts only identify like "script" : "ctx._source.counter += count", and disable script in the https://github.com/Svti/ElasticSearchEXP ?