Disable dynamic Groovy scripting by marking Groovy as not sandboxed #9655
Labels
>breaking
>bug
:Core/Infra/Scripting
Scripting abstractions, Painless, and Mustache
critical
v1.3.8
v1.4.3
v1.5.0
v2.0.0-beta1
Elasticsearch versions 1.3.0-1.3.7 and 1.4.0-1.4.2 have vulnerabilities in the Groovy scripting engine. The vulnerability allows an attacker to construct Groovy scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM.
We have been assigned CVE-2015-1427 for this issue.
Versions 1.3.8 and 1.4.3 disable sandboxing for Groovy by default. As a consequence, dynamic script execution is disabled for Groovy. In other words, inline Groovy scripts will not be accepted as part of a request, and will not be retrieved from the
.scripts
index. Groovy scripts can still be used if they are stored in files in theconfig/scripts
directory.Users should upgrade to 1.3.8 or 1.4.3. Users that do not want to upgrade can address the vulnerability by setting
script.groovy.sandbox.enabled
tofalse
inconfig/elasticsearch.yml
and restarting the node.Groovy dynamic scripting disabled in:
The text was updated successfully, but these errors were encountered: