Please send security vulnerability reports to security@elastic.co. This address can be used for all of Elastic's open source and commercial products, the Elastic Cloud service, and the elastic.co website. We can accept only security issues at this address. Bug reports should be directed to the bug database of the project you're reporting it on.

If you would like to encrypt your message to us, please use our PGP key. The fingerprint is

1224 D1A5 72A7 3755 B61A 377B 14D6 5EE0 D2AE 61D2

The key is available from pgp.mit.edu; search for elasticsearch.

Submitting an Issue

When we receive an issue we will evaluate it and, if we agree it is a vulnerability, we'll work to fix it and release the fix in a timeframe that matches the severity.

Let us know if you would like credit for discovering the issue. We can cite you as the discoverer if we weren't previously aware of the issue.

About Elastic Security Advisories

An Elastic Security Advisory ("ESA") is a notice from Elastic to its users of security issues with the Elastic products. Elastic assigns both a CVE and an ESA identifier to each advisory along with a summary and remediation and mitigation details. All new advisories are announced in the Security Announcements forum. These announcements may be tracked via an RSS feed.

Previously Announced Vulnerabilities

Logstash
ESA ID CVE Date Disclosed Vulnerability Summary Remediation Summary
ESA-2017-05 CVE-2017-5645 2017-04-20 The version of Apache Log4j used in Logstash was vulnerable to an object deserialization flaw. This flaw could result in remote code execution by an attacker able to send arbitrary data to a Logstash Log4j plugin. Users that currently use Logstash Log4j input plugin should upgrade the logstash-input-log4j plugin to version 3.0.5
ESA-2016-08 CVE-2016-10362
2016-11-15 Prior to Logstash version 5.0.1, Elasticsearch Output plugin when updating connections after sniffing, would log to file HTTP basic auth credentials. Users who secure communication from Logstash to Elasticsearch via Basic Authorization using Elastic Shield or other systems are advised to upgrade to this version.
ESA-2016-06 CVE-2016-10363
2016-09-22 In Logstash versions prior to 2.3.3, when using the Netflow Codec plugin, a remote attacker crafting malicious Netflow v5, Netflow v9 or IPFIX packets could perform a denial of service attack on the Logstash instance. The errors resulting from these crafted inputs are not handled by the codec and can cause the Logstash process to exit. Users that currently use Logstash's netflow codec plugin or may want to use it in the future should upgrade to 2.3.3 or later versions.
ESA-2016-02 CVE-2016-1000221 2016-07-07 Prior to version 2.3.4, Elasticsearch Output plugin would log to file HTTP authorization headers which could contain sensitive information. Users who secure communication from Logstash to Elasticsearch via Basic Authorization using Elastic Shield or other systems are advised to upgrade to this version.
ESA-2016-01 CVE-2016-1000222 2016-02-02 Prior to version 2.1.2, the CSV output can be attacked via engineered input that will create malicious formulas in the CSV data. Users that currently use Logstash CSV output plugin or may want to use it in the future should upgrade to 2.2.0 or 2.1.2.
ESA-2015-09 CVE-2015-5619 2015-07-22 All Logstash versions prior to 1.5.3 that use Lumberjack output is vulnerable to this man in the middle attack. Please note that Logstash Forwarder is not affected by this. Users should upgrade to 1.5.4 or 1.4.5. Users that do not want to upgrade can address the vulnerability by disabling the Lumberjack output.
ESA-2015-07 CVE-2015-5378 2015-06-30 All Logstash versions prior to 1.5.2 that use Lumberjack input (in combination with Logstash Forwarder agent) are vulnerable to a SSL/TLS security issue called the FREAK attack. This allows an attacker to intercept communication and access secure data. Users should upgrade to 1.5.3 or 1.4.4. Users that do not want to upgrade can address the vulnerability by disabling the Lumberjack input.
ESA-2015-04 CVE-2015-4152 2015-06-09 All Logstash versions prior to 1.4.3 that use the file output plugin are vulnerable to a directory traversal attack that allows an attacker to write files as the Logstash user. Users should upgrade to 1.4.3 or 1.5.0 Users that do not want to upgrade can address the vulnerability by disabling the file output plugin.
ESA-2014-02 CVE-2014-4326 2014-06-24 Logstash 1.4.1 and prior, when configured to use the Zabbix or Nagios outputs, allows an attacker with access to send crafted events to Logstash inputs to cause Logstash to execute OS commands. Upgrade to Logstash 1.4.2 or later, or disable the Zabbix and Nagios outputs.
Elasticsearch
ESA ID CVE Date Disclosed Vulnerability Summary Remediation Summary
ESA-2017-18 CVE-2017-8447 2017-09-11 An error was found in the X-Pack Security privilege enforcement. If a user has either ‘delete’ or ‘index’ permissions on an index in a cluster, they may be able to issue both delete and index requests against that index. X-Pack Security users should upgrade to version 5.6.0 or 5.5.3. If you cannot upgrade immediately you can workaround this issue by removing the ‘delete’ and ‘index’ permission from untrusted users.
ESA-2017-15 CVE-2017-8445 2017-08-17 An error was found in the X-Pack Security TLS trust manager for versions 5.0.0 to 5.5.1. If reloading the trust material fails the trust manager will be replaced with an instance that trusts all certificates. This could allow any node using any certificate to join a cluster. The proper behavior in this instance is for the TLS trust manager to deny all certificates.
X-Pack Security users should upgrade to version 5.5.2. Please note this attack cannot be triggered remotely. The most likely scenario would be local system corruption. Even though crossing a trust boundary cannot be forced by an attacker, we consider a security feature failing in this manner to be a flaw.
ESA-2017-10 CVE-2017-8442 2017-07-06 Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can result in the Elasticsearch _nodes API leaking sensitive configuration information, such as the paths and passphrases of SSL keys that were configured as part of an authentication realm. This could allow an authenticated Elasticsearch user to improperly view these details. All users of X-Pack security should upgrade to version 5.5.0. This update will prevent the _nodes API from returning sensitive settings. If you cannot upgrade any sensitive settings can be hidden by using the X-Pack hide_settings configuration option.
ESA-2017-09 CVE-2017-8441 2017-06-01 X-Pack Security versions prior to 5.4.1 and 5.3.3 did not always correctly apply Document Level Security to index aliases. This bug could allow a user with restricted permissions to view data they should not have access to when performing certain operations against an index alias. All users of X-Pack security should upgrade to version 5.3.3 or 5.4.1. If you cannot upgrade disabling the request cache on an index will mitigate this bug.
ESA-2017-06 CVE-2017-8438 2017-06-01 X-Pack Security versions 5.0.0 to 5.4.0 contain a privilege escalation bug in the run_as functionality. This bug prevents transitioning into the specified user specified in a run_as request. If a role has been created using a template that contains the _user properties, the behavior of run_as will be incorrect. Additionally if the run_as user specified does not exist, the transition will not happen. User currently using run_as functionality should upgrade to X-Pack Security 5.4.1
ESA-2017-03 CVE-2017-8449 2017-03-28 When merging multiple rules with field level security rules for the same index, X-Pack Security 5.2.x would allow access to more fields than the user should have seen if the field level security rules used a mix of grant and exclude rules.
ESA-2017-01 CVE-2017-8450 2017-01-23 In some cases, X-Pack 5.1.1 did not properly apply document and field level security to multi-search and multi-get requests so users without access to a document and/or field may have been able to access this information. Users should upgrade to v5.1.2 or above, or restrict access to the multi-search and multi-get APIs.
ESA-2015-08 CVE-2015-5531 2015-07-16 Elasticsearch versions from 1.0.0 to 1.6.0 are vulnerable to a directory traversal attack. Users should upgrade to 1.6.1 or later, or constrain access to the snapshot API to trusted sources.
ESA-2015-06 CVE-2015-5377 2015-07-16 Elasticsearch versions prior to 1.6.1 are vulnerable to an attack that can result in remote code execution. Users should upgrade to 1.6.1 or 1.7.0. Alternately, ensure that only trusted applications have access to the transport protocol port.
ESA-2015-05 CVE-2015-4165 2015-04-27 All Elasticsearch versions from 1.0.0 to 1.5.2 are vulnerable to an attack that uses Elasticsearch to modify files read and executed by certain other applications. Users should upgrade to 1.6.0. Alternately, ensure that other applications are not present on the system, or that Elasticsearch cannot write into areas where these applications would read.
ESA-2015-02 CVE-2015-3337 2015-04-27 All Elasticsearch versions prior to 1.5.2 and 1.4.5 are vulnerable to a directory traversal attack that allows an attacker to retrieve files from the server running Elasticsearch when one or more site plugins are installed, or when Windows is the server OS. Users should upgrade to 1.4.5 or 1.5.2. Users that do not want to upgrade can address the vulnerability by disabling site plugins. See the CVE description for additional options.
ESA-2015-01 CVE-2015-1427 2015-02-11 Elasticsearch versions 1.3.0-1.3.7 and 1.4.0-1.4.2 have vulnerabilities in the Groovy scripting engine that were introduced in 1.3.0. The vulnerability allows an attacker to construct Groovy scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM. Users should upgrade to 1.3.8 or 1.4.3. Users that do not want to upgrade can address the vulnerability by setting script.groovy.sandbox.enabled to false in elasticsearch.yml and restarting the node.
ESA-2014-03 CVE-2014-6439 2014-11-05 Elasticsearch versions 1.3.x and prior have a default configuration for CORS that allows an attacker to craft links that could cause a user's browser to send requests to Elasticsearch instances on their local network. These requests could cause data loss or compromise. Users should either set "http.cors.enabled" to false, or set "http.cors.allow-origin" to the value of the server that should be allowed access, such as localhost or a server hosting Kibana. Disabling CORS entirely with the former setting is more secure, but may not be suitable for all use cases.
ESA-2014-01 CVE-2014-3120 2014-05-22 In Elasticsearch versions 1.1.x and prior, dynamic scripting is enabled by default. This could allow an attacker to execute OS commands. Disable dynamic scripting.
Kibana
ESA ID CVE Date Disclosed Vulnerability Summary Remediation Summary
ESA-2017-17 CVE-2017-8446 2017-08-17 The Reporting feature in X-Pack in versions prior to 5.5.2 and standalone Reporting plugin versions versions prior to 2.4.6 had an impersonation vulnerability. A user with the reporting_user role could execute a report with the permissions of another reporting user, possibly gaining access to sensitive data. Reporting users should upgrade to X-Pack version 5.5.2 or Reporting Plugin version 2.4.6. A mitigation for this issue is to remove the reporting_user role from any untrusted users of your Elastic Stack.
ESA-2017-16 2017-08-17 Kibana versions prior to 5.5.2 had a cross-site scripting (XSS) vulnerability in the markdown parser that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. Users should upgrade to Kibana version 5.5.2 or 4.6.5.
ESA-2017-14 CVE-2017-11499 2017-07-25 The version of Node.js shipped in all versions of Kibana prior to 5.5.1 contains a Denial of Service flaw in it's HashTable random seed. This flaw could allow a remote attacker to consume resources within Node.js preventing Kibana from servicing requests. Administrators running Kibana in an environment with untrusted users should upgrade to version 5.5.1 or 4.6.5. There is no workaround for this issue, the flaw can be triggered by an unauthenticated anonymous user.
ESA-2017-11 CVE-2017-8443 2017-06-27 In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an improperly initialized Kibana login screen. If the user enters credentials on this screen, the credentials will appear in the URL bar. The credentials could then be viewed by untrusted parties or logged into the Kibana access logs. We believe the severity of this issue is low since the issue can be triggered only by a crafted URL, and it will be very difficult for an external attacker to acquire credentials even with the vulnerability.  Kibana users concerned with this issue should upgrade to version 5.4.3 or later. 
ESA-2017-08 CVE-2017-8440 2017-06-01 Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.  Thanks to Thomas Gøytil for reporting this issue. All users of Kibana 5.3 or 5.4 should upgrade to versions 5.3.3 and 5.4.1.
ESA-2017-07 CVE-2017-8439 2017-06-01 Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Builder. This bug could allow an attacker to obtain sensitive information from Kibana users. All Kibana 5.4.0 users should upgrade to version 5.4.1. If upgrading is impossible, the time series visual builder can be disabled by setting metrics.enabled: false in the kibana.yml. Note that this will trigger a re-optimization when you restart Kibana.
ESA-2017-04 CVE-2017-8451
2017-04-20 With X-Pack installed, Kibana versions before 5.3.1 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website. Shield versions for Kibana prior to 2.4.5 are also affected. Users should upgrade to Kibana version 5.3.1 as soon as possible. Users on Kibana 4.6 should update the Kibana Shield plugin to 2.4.5.
ESA-2017-02 CVE-2017-8452
2017-02-14 When Kibana is configured for SSL client access, file descriptors will fail to be cleaned up after certain requests and will accumulate over time until the process crashes. Requests that are canceled before data is sent can also crash the process. Users of previous versions Kibana 5 that have SSL configured should upgrade to 5.2.1 immediately. Terminating SSL at a reverse proxy or load balancer will act as a workaround. Kibana version 4 is not affected.
ESA-2016-10 CVE-2016-10364
2016-11-29 With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, so any authenticated user could make requests to those services regardless of their own permissions. Users of Kibana and X-Pack versions 5.0.0 and 5.0.1 that have user-specific permissions for advanced settings or short URLs should upgrade to 5.0.2 as soon as possible.
ESA-2016-09 CVE-2016-10365
2016-11-15 Kibana versions before 4.6.3 and 5.0.1 have an open redirect vulnerability that would enable an attacker to craft a link in the Kibana domain that redirects to an arbitrary website. Thanks to the GE Digital Security Team for finding the issue. Users should upgrade to 5.0.1 or 4.6.3 as soon as possible.
ESA-2016-07 CVE-2016-10366
2016-10-24 Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (XSS) attack that would allow an attacker to execute arbitrary JavaScript in users' browsers. Users of Kibana 4.3 or greater should upgrade to Kibana 4.6.2 immediately.
ESA-2016-05 CVE-2016-1000218 2016-09-06 Version 2.4.0 of the Reporting plugin is vulnerable to a CSRF vulnerability that could allow an attacker to generate superfluous reports whenever an authenticated Kibana user navigates to a specially-crafted page. Users of the Reporting plugin should upgrade Kibana to 4.6.1 and Reporting to 2.4.1.
ESA-2016-04 CVE-2016-1000219 2016-08-03 When a custom output is configured for logging in versions of Kibana before 4.5.4 and 4.1.11, cookies and authorization headers could be written to the log files. This information could be used to hijack sessions of other users when using Kibana behind some form of authentication such as Shield. Users should upgrade to 4.5.4 or 4.1.11.
ESA-2016-03 CVE-2016-1000220 2016-08-03 Versions of Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers. Users should upgrade to 4.5.4 or 4.1.11.
ESA-2015-11 CVE-2015-9056
2015-12-17 Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack. Users should upgrade to 4.1.3 or 4.2.1.
ESA-2015-10 CVE-2015-8131 2015-11-17 Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a CSRF attack. Users should upgrade to 4.1.3 or 4.2.1.
ESA-2015-03 CVE-2015-4093 2015-06-29 Kibana versions 4.0.0, 4.0.1 and 4.0.2 are vulnerable to a cross-site scripting attack. Users should upgrade to 4.0.3.
Elastic Cloud Enterprise
ESA ID CVE Date Disclosed Vulnerability Summary Remediation Summary
ESA-2017-13 CVE-2017-8444 2017-09-12 The client-forwarder in Elastic Cloud Enterprise versions prior to 1.0.2 do not properly encrypt traffic to ZooKeeper. If an attacker is able to man in the middle (MITM) the traffic between the client-forwarder and ZooKeeper they could potentially obtain sensitive data. All Elastic Cloud Enterprise users should upgrade to version 1.0.2. There is no known workaround for this issue.