back to article Attackers targeting Elasticsearch remote code execution hole

Attackers are targeting a patched remote code execution vulnerability in Elasticsearch that grants unauthenticated bad guys access through a buggy API. The flaw (CVE-2015-1427) within the world's number two enterprise search engine was patched last month. It relates, for folks at Mitre say, to the Groovy scripting engine in …

  1. jillesvangurp

    Don't run elasticsearch on a public endpoint

    This only affects people that somehow didn't get the memo that it is an extremely bad idea to run something like a database, or indeed elasticsearch on a public port. Seriously, don't do that, ever. If you do so anyway, you'll at least want to put in place some security like for example an https proxy + basic authentication.

    If you don't do that, this hole in the API is the least of your problems and you are trivially exposed to people crashing elasticsearch with a few nasty queries, filling up your disk with some write traffic, killing all CPU by sending some expensive queries, or stealing all the data you have in Elasticsearch. If all that is fine with you, then yes you also expose yourself to remote script execution. In a controlled environment, scripting support in ES is still useful. They are similar to stored procedures in a database.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019