Elasticsearch 1.5.2 and 1.4.5 Released
We would like to announce security bugfix releases of Elasticsearch 1.5.2 and Elasticsearch 1.4.5, both based on Lucene 4.10.4. You can download them and read the full changes list here:
- Latest stable release: Elasticsearch 1.5.2
- Bug fixes for 1.4.x: Elasticsearch 1.4.5
THESE RELEASES FIX A DIRECTORY TRAVERSAL VULNERABILITY. WE ADVISE ALL USERS TO UPGRADE.
For blog posts about past releases see:
You can read about all of the changes that have been made in the 1.5.2 and 1.4.5 release notes, but the security issue is explained below:
Directory traversal vulnerability found
All Elasticsearch versions prior to 1.5.2 and 1.4.5 are vulnerable to a directory traversal attack that allows an attacker to retrieve files from the server running Elasticsearch. This vulnerability is not present in the initial installation of Elasticsearch. The vulnerability is exposed when a “site plugin" is installed. Elastic's Marvel plugin and many community-sponsored plugins (e.g. Kopf, BigDesk, Head) are site plugins. Elastic Shield, Licensing, Cloud-AWS, Cloud-GCE, Cloud-Azure, the analysis plugins, and the river plugins are not site plugins.
We have been assigned CVE-2015-3337 for this issue.
Versions 1.5.2 and 1.4.5 have addressed this vulnerability, and we advise all users to upgrade.
Users that do not want to upgrade can address the vulnerability in several ways, but these options will break any site plugin:
-
Set
http.disable_sitestotruein theelasticsearch.ymlconfig file on any node with a site plugin, and restart the Elasticsearch node. -
Use a firewall or proxy to block HTTP requests to
/_plugin. - Uninstall all site plugins from all Elasticsearch nodes.
Thanks to John Heasman of DocuSign for reporting this issue.
Other notable changes
- Indexed scripts and templates are properly removed from the cache when overwritten or deleted.
- There have been a number of geo-shape fixes, including an important precision fix when using
distance_error_pct. - Default mappings in index templates are now taken into account during bulk indexing.
- Shadow replicas are now more resilient to file system latency, and support smoother relocation of the primary shard.
- A mapping refresh loop when using geo-contexts in the completion suggester has been fixed.
Some important changes have been back-ported to v1.4.5:
- Merges are enabled on the recovering shard for faster recovery of big shards.
- Graceful handling of truncated translogs.
- Throttling of delete-by-query when merges falling behind.
Please download Elasticsearch 1.5.2, try it out, and let us know what you think on Twitter (@elastic). You can report any problems on the GitHub issues page.