Please send security vulnerability reports to security@elastic.co. This address can be used for Elasticsearch, Logstash, Kibana, Elasticsearch for Apache Hadoop, Marvel, Shield, and language integrations, and our plugins. We can accept only security issues at this address. Bug reports should be directed to the bug database of the project you're reporting it on.

If you would like to encrypt your message to us, please use our PGP key. The fingerprint is

1224 D1A5 72A7 3755 B61A 377B 14D6 5EE0 D2AE 61D2

The key is available from pgp.mit.edu; search for elasticsearch.

Submitting an Issue

When we receive an issue we will evaluate it and, if we agree it is a vulnerability, we'll work to fix it and release the fix in a timeframe that matches the severity.

Let us know if you would like credit for discovering the issue. We can cite you as the discoverer if we weren't previously aware of the issue.

About Elastic Security Advisories

An Elastic Security Advisory ("ESA") is a notice from Elastic to its users of security issues with the Elastic products. Elastic assigns an identifier to each ESA. Prior to 2016, Elastic obtained CVE identifiers for security issues. Recent policy changes have made it impossible for us to receive CVE identifiers for all of our products. As a result, we now assign only ESA identifiers to issues.

Previously Announced Vulnerabilities

Logstash
ESA ID CVE Link Date Disclosed Vulnerability Summary Remediation Summary
ESA-2016-02 none 2016-07-07 Prior to version 2.3.4, Elasticsearch Output plugin would log to file HTTP authorization headers which could contain sensitive information. Users who secure communication from Logstash to Elasticsearch via Basic Authorization using Elastic Shield or other systems are advised to upgrade to this version.
ESA-2016-01 none 2016-02-02 Prior to version 2.1.2, the CSV output can be attacked via engineered input that will create malicious formulas in the CSV data. Users that currently use Logstash CSV output plugin or may want to use it in the future should upgrade to 2.2.0 or 2.1.2.
ESA-2015-09 CVE-2015-5619 2015-07-22 All Logstash versions prior to 1.5.3 that use Lumberjack output is vulnerable to this man in the middle attack. Please note that Logstash Forwarder is not affected by this. Users should upgrade to 1.5.4 or 1.4.5. Users that do not want to upgrade can address the vulnerability by disabling the Lumberjack output.
ESA-2015-07 CVE-2015-5378 2015-06-30 All Logstash versions prior to 1.5.2 that use Lumberjack input (in combination with Logstash Forwarder agent) are vulnerable to a SSL/TLS security issue called the FREAK attack. This allows an attacker to intercept communication and access secure data. Users should upgrade to 1.5.3 or 1.4.4. Users that do not want to upgrade can address the vulnerability by disabling the Lumberjack input.
ESA-2015-04 CVE-2015-4152 2015-06-09 All Logstash versions prior to 1.4.3 that use the file output plugin are vulnerable to a directory traversal attack that allows an attacker to write files as the Logstash user. Users should upgrade to 1.4.3 or 1.5.0 Users that do not want to upgrade can address the vulnerability by disabling the file output plugin.
ESA-2014-02 CVE-2014-4326 2014-06-24 Logstash 1.4.1 and prior, when configured to use the Zabbix or Nagios outputs, allows an attacker with access to send crafted events to Logstash inputs to cause Logstash to execute OS commands. Upgrade to Logstash 1.4.2 or later, or disable the Zabbix and Nagios outputs.
Elasticsearch
ESA ID CVE Link Date Disclosed Vulnerability Summary Remediation Summary
ESA-2015-08 CVE-2015-5531 2015-07-16 Elasticsearch versions from 1.0.0 to 1.6.0 are vulnerable to a directory traversal attack. Users should upgrade to 1.6.1 or later, or constrain access to the snapshot API to trusted sources.
ESA-2015-06 CVE-2015-5377 2015-07-16 Elasticsearch versions prior to 1.6.1 are vulnerable to an attack that can result in remote code execution. Users should upgrade to 1.6.1 or 1.7.0. Alternately, ensure that only trusted applications have access to the transport protocol port.
ESA-2015-05 CVE-2015-4165 2015-04-27 All Elasticsearch versions from 1.0.0 to 1.5.2 are vulnerable to an attack that uses Elasticsearch to modify files read and executed by certain other applications. Users should upgrade to 1.6.0. Alternately, ensure that other applications are not present on the system, or that Elasticsearch cannot write into areas where these applications would read.
ESA-2015-02 CVE-2015-3337 2015-04-27 All Elasticsearch versions prior to 1.5.2 and 1.4.5 are vulnerable to a directory traversal attack that allows an attacker to retrieve files from the server running Elasticsearch when one or more site plugins are installed, or when Windows is the server OS. Users should upgrade to 1.4.5 or 1.5.2. Users that do not want to upgrade can address the vulnerability by disabling site plugins. See the CVE description for additional options.
ESA-2015-01 CVE-2015-1427 2015-02-11 Elasticsearch versions 1.3.0-1.3.7 and 1.4.0-1.4.2 have vulnerabilities in the Groovy scripting engine that were introduced in 1.3.0. The vulnerability allows an attacker to construct Groovy scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM. Users should upgrade to 1.3.8 or 1.4.3. Users that do not want to upgrade can address the vulnerability by setting script.groovy.sandbox.enabled to false in elasticsearch.yml and restarting the node.
ESA-2014-03 CVE-2014-6439 2014-11-05 Elasticsearch versions 1.3.x and prior have a default configuration for CORS that allows an attacker to craft links that could cause a user's browser to send requests to Elasticsearch instances on their local network. These requests could cause data loss or compromise. Users should either set "http.cors.enabled" to false, or set "http.cors.allow-origin" to the value of the server that should be allowed access, such as localhost or a server hosting Kibana. Disabling CORS entirely with the former setting is more secure, but may not be suitable for all use cases.
ESA-2014-01 CVE-2014-3120 2014-05-22 In Elasticsearch versions 1.1.x and prior, dynamic scripting is enabled by default. This could allow an attacker to execute OS commands. Disable dynamic scripting.
Kibana
ESA ID CVE Link Date Disclosed Vulnerability Summary Remediation Summary
ESA-2016-04 none 2016-08-03 When a custom output is configured for logging in versions of Kibana before 4.5.4 and 4.1.11, cookies and authorization headers could be written to the log files. This information could be used to hijack sessions of other users when using Kibana behind some form of authentication such as Shield. Users should upgrade to 4.5.4 or 4.1.11.
ESA-2016-03 none 2016-08-03 Versions of Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers. Users should upgrade to 4.5.4 or 4.1.11.
ESA-2015-11 none 2015-12-17 Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack. Users should upgrade to 4.1.3 or 4.2.1.
ESA-2015-10 CVE-2015-8131 2015-11-17 Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a CSRF attack. Users should upgrade to 4.1.3 or 4.2.1.
ESA-2015-03 CVE-2015-4093 2015-06-29 Kibana versions 4.0.0, 4.0.1 and 4.0.2 are vulnerable to a cross-site scripting attack. Users should upgrade to 4.0.3.