Elasticsearch: It is unclear how security-related issues have been fixed in 1.6.1 / 1.7.0

Created on 22 Jul 2015  路  4Comments  路  Source: elastic/elasticsearch

From looking a the commit log, I can't figure out how exactly a few vulnerabilities have been fixed in recent versions of Elasticsearch. It would be very helpful if the specific commits that fix such issues were marked as such. I am specifically looking for the commits fixing

  • CVE-2015-4165 (File modification)
  • CVE-2015-5377 (Remote code execution)
  • CVE-2015-5531 (Directory traversal)

The background here is that there are concerns that the 1.0.3-based package shipped as part of Debian 8.x (jessie) may still be vulnerable.

picture hillu

All 4 comments

@hillu the security page of the website lists all the CVE's for Elasticsearch and which versions are affected: https://www.elastic.co/community/security

This should help you identify which CVEs are relevant to your version. To avoid know security vulnerabilities it is recommended that you stay up to date with the latest version of Elasticsearch. Details of how to add the Elasticsearch debian repository can be found here: https://www.elastic.co/guide/en/elasticsearch/reference/current/setup-repositories.html

colings86 picture colings86 on 22 Jul 2015

@colings86 I am looking for the specific commits that fix the three CVEs so I can find out whether there is any need to fix the 1.0.3-based packages that come as part of Debian/jessie which I help maintain.

hillu picture hillu on 22 Jul 2015

Hi @hillu

We have discussed this issue internally. The consensus that we arrived at was that we don't want to make it any easier than absolutely necessary for blackhats to find exploitable code. Even having whitehats commit patches makes it easy for blackhats. We want to give our users as must chance to upgrade as possible before these exploits become public.

For this reason we won't publish links to the actual commits. The affected versions are listed on https://www.elastic.co/community/security

Honestly, we've fixed so many non-security related bugs since 1.0.3 that it would be a mistake for any user to continue to such an old version.

Hope you understand our stance

thanks

clintongormley picture clintongormley on 23 Jul 2015
👎7 👍1

Sorry, I don't understand -- the point about blackhats having to invest a bit less time to find exploits seems a bit like a red hering to me -- and it is not far from Oracle-style "advisories" ("Undisclosed vulnerability in component $FOO").

I'm afraid it's probably not going to possible to upgrade the Elasticsearch packages shipped with Debian/jessie to 1.6.1 or 1.7.0, so we'd very much like to fix the problems in the 1.0.3 codebase if they exist there.

Couldn't you just tell me via private mail to [email protected] how those CVE-worthy bugs were fixed?

Thanks,
-Hilko

hillu picture hillu on 23 Jul 2015
Was this page helpful?
0 / 5 - 0 ratings

Related issues

JagathJayasinghe picture JagathJayasinghe  路  105Comments
casperOne picture casperOne  路  102Comments
gwbrown picture gwbrown  路  48Comments
kul picture kul  路  72Comments
jpountz picture jpountz  路  75Comments