Elasticsearch 'source' Parameter RCE

medium Nessus Plugin ID 76572

Synopsis

The remote web server hosts a Java application that is affected by a remote code execution vulnerability.

Description

The Elasticsearch application hosted on the remote web server is affected by a remote code execution vulnerability due to a failure to properly sanitize user-supplied input to the 'source' parameter of the '/_search' page. A remote, unauthenticated attacker can exploit this flaw to execute arbitrary Java code or manipulate files on the remote host.

Solution

Upgrade to version 1.2.0 or later.

See Also

http://bouk.co/blog/elasticsearch-rce/

https://www.elastic.co/blog/found-elasticsearch-security

Plugin Details

Severity: Medium

ID: 76572

File Name: elasticsearch_rce.nasl

Version: 1.11

Type: remote

Family: CGI abuses

Published: 7/17/2014

Updated: 3/28/2022

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.6

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2014-3120

Vulnerability Information

CPE: cpe:/a:elasticsearch:elasticsearch

Required KB Items: installed_sw/Elasticsearch

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/22/2014

Vulnerability Publication Date: 12/9/2013

CISA Known Exploited Vulnerability Due Dates: 4/15/2022

Exploitable With

Metasploit (ElasticSearch Dynamic Script Arbitrary Java Execution)

Reference Information

CVE: CVE-2014-3120

BID: 67731