https://bugzilla.redhat.com/show_bug.cgi?id=1230761 Bug ID: 1230761 Summary: CVE-2015-4165 elasticsearch: unspecified arbitrary files modification vulnerability Product: Security Response Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: vkaigoro(a)redhat.com CC: bkabrda(a)redhat.com, bkearney(a)redhat.com, bobjensen(a)gmail.com, cbillett(a)redhat.com, cpelland(a)redhat.com, cperry(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jvanek(a)redhat.com, katello-bugs(a)redhat.com, kseifried(a)redhat.com, mmccune(a)redhat.com, ohadlevy(a)redhat.com, pbrobinson(a)gmail.com, tjay(a)redhat.com, tomckay(a)redhat.com, zbyszek(a)in.waw.pl All Elasticsearch versions from 1.0.0 to 1.5.2 are vulnerable to an attack that uses Elasticsearch to modify files read and executed by certain other applications. Upstream bug/commit unknown at the time of writing. Mitigation: =========== Users should upgrade to 1.6.0. Alternately, ensure that other applications are not present on the system, or that Elasticsearch cannot write into areas where these applications would read. External References: https://www.elastic.co/community/security/ -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=H4BjU1KRX1&a=cc_unsubscribe