Overview
Elasticsearch versions before 1.3.8 and 1.4.x before 1.4.3 contain a critical sandbox bypass vulnerability in the Groovy scripting engine. This allows remote attackers to execute arbitrary shell commands by crafting malicious Groovy scripts. The vulnerability enables complete system compromise without requiring authentication. The vulnerability was disclosed on February 17, 2015. CISA has identified CVE-2015-1427 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
Elasticsearch's Groovy scripting engine contained a sandbox bypass vulnerability that allowed attackers to escape the sandbox restrictions and execute arbitrary shell commands on the server. The vulnerability existed in how Elasticsearch processed and executed Groovy scripts submitted through the script parameter in search queries and other API endpoints. Attackers could craft specially designed Groovy code that leveraged Java reflection and method invocation to access system-level functionality, bypassing the intended security sandbox that was meant to restrict script execution.
The vulnerability is classified as CWE-94 (Improper Control of Generation of Code ('Code Injection')) , CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')) andCWE-265 (Incorrect Privilege Assignment) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its critical nature.
Impact
This vulnerability allows unauthenticated remote attackers to gain complete control over affected Elasticsearch servers. Attackers can execute arbitrary shell commands with the privileges of the Elasticsearch process, typically the user running the Elasticsearch service. This enables attackers to: read sensitive data from the index database, install malware or backdoors, pivot to other systems on the network, delete or corrupt data, and cause denial of service. The lack of authentication requirements makes this vulnerability extremely dangerous, as it can be exploited by any attacker with network access to the Elasticsearch port (typically 9200).
Mitigation and workarounds
Upgrade Elasticsearch to version 1.3.8 or 1.4.3 or later. Download the appropriate version from elastic.co and follow the upgrade procedure. For Elasticsearch 1.x: Stop the running instance, replace the installation files, and restart the service. Alternatively, disable Groovy scripting entirely by setting 'script.disable_dynamic: true' in elasticsearch.yml if immediate patching is not possible. The following versions include the necessary fixes: 1.3.8, 1.4.3, 1.5.0 and later.
As temporary workarounds: disable dynamic scripting by adding 'script.disable_dynamic: true' to elasticsearch.yml and restarting elasticsearch. this completely disables the ability to use dynamic scripts while allowing stored scripts to continue functioning if they were created before the setting was enabled.; restrict network access to the elasticsearch rest api port (9200 by default) using firewall rules, network segmentation, or security groups. only allow trusted clients to connect to elasticsearch., and disable the groovy scripting language specifically by setting 'script.groovy.sandbox.collections_access_allowed: false' and restricting other scripting options in elasticsearch.yml..
CISA's recommendation: Apply updates per vendor instructions.
Additional resources
Source: This report was generated using AI
