Description

Elasticsearch is a highly scalable open-source full-text search and analytics engine. It allows you to store, search, and analyze big volumes of data quickly and in near real time. It is generally used as the underlying engine/technology that powers applications that have complex search features and requirements.

Elasticsearch has a flaw in its default configuration which makes it possible for any webpage to execute arbitrary code on visitors with Elasticsearch installed. Elasticsearch has no access roles or authentication mechanism. This means that you have full control over a cluster the moment you connect to it.

Remediation

Add the following line to your elasticsearch.yml to disable dynamic scripting and prevent remote code execution: 

script.disable_dynamic: true
You should also make sure that your local Elasticsearch instance is only binding on localhost.

References

Insecure default in Elasticsearch enables remote code execution

Related Vulnerabilities

SAP Hybris Deserialization RCE

Drupal Core 8.5.0 Remote Code Execution (8.5.0)

Apache Tomcat Remote Code Execution Vulnerability

Authentication bypass via MongoDB operator injection

Python Debugger Unauthorized Access Vulnerability

Severity

High

Classification

CVE-2014-3120 CWE-78 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Code Execution