CVE-2015-1427
Published: 17 February 2015
Summary
CVE-2015-1427 is a critical-severity an unspecified weakness vulnerability in Elastic Elasticsearch. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a sandbox escape in the Groovy scripting engine used by Elasticsearch. It affects all versions prior to 1.3.8 and 1.4.x prior to 1.4.3, allowing a crafted script to bypass the intended protection mechanism and execute arbitrary shell commands on the underlying operating system. The issue carries a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors that require no authentication or user interaction.
Remote, unauthenticated attackers can submit malicious Groovy scripts through Elasticsearch’s search or scripting APIs. Successful exploitation grants the attacker the ability to run operating-system commands with the privileges of the Elasticsearch process, resulting in full confidentiality, integrity, and availability impact on the affected node and potentially the cluster.
The official Elasticsearch announcement for versions 1.3.8 and 1.4.3 states that the releases address the Groovy sandbox bypass. Public exploit code demonstrating unauthenticated remote command execution against the vulnerable versions has been published on Packet Storm and discussed in SecurityFocus archives, confirming that the flaw was weaponized shortly after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-5539
Vulnerability details
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.
- CWE(s)
- KEV Date Added
- 25 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patch that closes the Groovy sandbox bypass in Elasticsearch 1.3.8/1.4.3.
Requires disabling or restricting the Groovy scripting engine feature that the CVE exploits to achieve remote code execution.
Mandates authorization and control of mobile code (Groovy scripts) submitted through the search/scripting APIs.