| Bug ID | 934507 |
|---|---|
| Summary | VUL-0: CVE-2015-4165: elasticsearch: unspecified arbitrary files modification vulnerability |
| Classification | openSUSE |
| Product | openSUSE.org |
| Version | unspecified |
| Hardware | Other |
| URL | https://smash.suse.de/issue/117585/ |
| OS | openSUSE 13.2 |
| Status | NEW |
| Severity | Major |
| Priority | P5 - None |
| Component | 3rd party software |
| Assignee | heinemannj66@gmail.com |
| Reporter | astieger@suse.com |
| QA Contact | opensuse-communityscreening@forge.provo.novell.com |
| CC | security-team@suse.de |
| Found By | Security Response Team |
| Blocker | --- |
Courtesy bug for elasticsearch, as found in devel:languages:python and /security:logging:elma:devel. Not in any openSUSE distribution. All Elasticsearch versions from 1.0.0 to 1.5.2 are vulnerable to an attack that uses Elasticsearch to modify files read and executed by certain other applications. Upstream bug/commit unknown at the time of writing. Mitigation: =========== Users should upgrade to 1.6.0. Alternately, ensure that other applications are not present on the system, or that Elasticsearch cannot write into areas where these applications would read. External References: https://www.elastic.co/community/security/ References: https://bugzilla.redhat.com/show_bug.cgi?id=1230761 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4165 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4165