Elasticsearch 1.5.2 and 1.4.5 Released

We would like to announce security bugfix releases of Elasticsearch 1.5.2 and Elasticsearch 1.4.5, both based on Lucene 4.10.4. You can download them and read the full changes list here:

THESE RELEASES FIX A DIRECTORY TRAVERSAL VULNERABILITY. WE ADVISE ALL USERS TO UPGRADE.

For blog posts about past releases see:

You can read about all of the changes that have been made in the 1.5.2  and 1.4.5 release notes, but the security issue is explained below:

Directory traversal vulnerability found

All Elasticsearch versions prior to 1.5.2 and 1.4.5 are vulnerable to a directory traversal attack that allows an attacker to retrieve files from the server running Elasticsearch. This vulnerability is not present in the initial installation of Elasticsearch. The vulnerability is exposed when a “site plugin" is installed. Elastic's Marvel plugin and many community-sponsored plugins (e.g. Kopf, BigDesk, Head) are site plugins. Elastic Shield, Licensing, Cloud-AWS, Cloud-GCE, Cloud-Azure, the analysis plugins, and the river plugins are not site plugins.

We have been assigned CVE-2015-3337 for this issue.

Versions 1.5.2 and 1.4.5 have addressed this vulnerability, and we advise all users to upgrade.

Users that do not want to upgrade can address the vulnerability in several ways, but these options will break any site plugin:

  • Set http.disable_sites to true in the elasticsearch.yml config file on any node with a site plugin, and restart the Elasticsearch node.
  • Use a firewall or proxy to block HTTP requests to /_plugin.
  • Uninstall all site plugins from all Elasticsearch nodes.

Thanks to John Heasman of DocuSign for reporting this issue.

Other notable changes

Some important changes have been back-ported to v1.4.5:

Please download Elasticsearch 1.5.2, try it out, and let us know what you think on Twitter (@elastic). You can report any problems on the GitHub issues page.