Elasticsearch remote code execution
Description
Elasticsearch versions prior to 1.2.0 contain a critical vulnerability in their default configuration that allows remote code execution through dynamic scripting. The search engine ships with dynamic scripting enabled and lacks authentication mechanisms, allowing any network-accessible client to execute arbitrary code by submitting malicious scripts through the REST API. This vulnerability is particularly dangerous because it can be exploited by malicious webpages that cause visitors' browsers to send crafted requests to local Elasticsearch instances running on default ports.
Remediation
Immediately apply the following security measures to mitigate this vulnerability:
1. Disable dynamic scripting by adding the following configuration to your elasticsearch.yml file:
script.disable_dynamic: true
2. Restrict network access by configuring Elasticsearch to bind only to localhost. Add this line to
elasticsearch.yml:network.host: 127.0.0.1
3. Upgrade to a patched version of Elasticsearch (version 1.2.0 or later) which addresses this vulnerability and provides improved security controls.
4. Implement network-level controls such as firewall rules to ensure Elasticsearch is not accessible from untrusted networks.
After making configuration changes, restart the Elasticsearch service for the settings to take effect.