Elasticsearch Site Plugin Directory Traversal Vulnerability


Description   A directory traversal vulnerability has been reported in Elasticsearch.
A remote attacker could exploit it via a specially crafted URL in order to retrieve arbitrary files from the server.
This vulnerability is exploitable only if a 'site plugin' is installed.
Updated, 01/05/2015:
A proof of concept is available.
Updated, 26/06/2015:
The elasticsearch packages provided by FreeBSD are vulnerable.
Updated, 03/07/2015:
An exploitation code is available in D2 Exploitation Pack.
     
Vulnerable Products   Vulnerable OS:
FreeBSD (FreeBSD)GNU/Linux (Debian) - 8Vulnerable Software:
ElasticSearch (ElasticSearch) - 1.0, 1.1, 1.2, 1.3, 1.3.1, ..., 1.4.0 b1, 1.4.1, 1.4.2, 1.5, 1.5.1
     
Solution   Versions 1.5.2 and 1.4.5 of Elasticsearch fix this vulnerability.Workarounds for any site plugin:- set “http.disable_sites” to true and restart the Elasticsearch node- use a firewall or proxy to block HTTP requests to /_plugin- uninstall all site plugins from all Elasticsearch nodes.Updated, 29/04/2015:Fixed elasticsearch packages for Jessie 8 are available.
     
CVE   CVE-2015-3337
     
References   - Elasticsearch : CVE-2015-3337
https://www.elastic.co/community/security/
DSA 3241-1 : elasticsearch security update
http://lists.debian.org/debian-security-announce/debian-security-announce-2015/msg00129.html
- VuXML : elasticsearch -- directory traversal attack with site plugins
http://www.vuxml.org/freebsd/a71e7440-1ba3-11e5-b43d-002590263bf5.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Misc : Directory traversal - parameter starting with ../
3.2.0
Directory traversal using ..\..
3.2.0
Directory traversal
3.2.0
Directory traversal backward root folder
3.2.0
     


 
 
 
 
 Risk level 
Low 

 Vulnerability First Public Report Date 
2015-04-27 

 Target Type 
Server 

 Possible exploit 
Remote