AnsweredAssumed Answered

Elasticsearch Vulnerability

Question asked by Ken McCartney on Aug 7, 2014
Latest reply on Aug 20, 2014 by Alex Nassi
Apparently, there is a vulnerability that in previous versions of elasticsearch (the only version that Sugar Supports) that allows remote execution of code on your server.  Fortunately, there was nothing on my server aside from elasticsearch, so no other data was compromised (as far as I know).  My server was used in numerous attacks against another server.    Apparently, this exploit was first discovered in December 2013.

The issue was brought to my attention by my Server's host.  When I logged in,  I ran a command history and found many iterations of a script that attempts to login to a mysql instance.  I'm not a security expert, so I found these helpful:

From elasticsearch security issues page (with links to other pertaining articles):
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2014-3120

Elasticsearch suggested the correct fix is to disable dynamic scripting:
Add to elasticsearch.yml:
script.disable_dynamic:true
(http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/modules-scripting.html)

Elasticsearch doesn't have the friendliest documentation, and didn't have any instruction as to what to do to clean up after you've been hacked. I found this blog entry helpful in removing at least some of the files that were added through the exploit.
http://www.vanimpe.eu/2014/07/09/elasticsearch-vulnerability-exploit/

Thanks and have a nice day!

Outcomes