Earlier today, new versions of Elasticsearch were released. These updates add new features as well as address two security vulnerabilities: CVE-2015-5377 and CVE-2015-5531. Initial assessments show that our systems are not vulnerable to either.
The first is a remote code execution vulnerability in Groovy, which targets Elasticsearch’s internal binary protocol on port 9300. Bonsai does not support or expose this protocol of port to end-users, it is only made available on a secure private network with access limited to nodes within a given Elasticsearch cluster.
Next is a directory traversal attack in the Elasticsearch Snapshot and Restore API. While we do currently take advantage of the Snapshot and Restore API for our periodic backups of customer data, we do not currently expose this API to end-users directly.
In both cases, our policy of only exposing features and functionality on a whitelist basis has helped to avoid exposing our customers to unexpected vulnerabilities.
Regardless, we’re accelerating our plans to roll out upgrades to newer versions of Elasticsearch. In addition to security fixes for the above vulnerability, recent releases of Elasticsearch all include a number of useful improvements that will directly help improve performance and reliability. Expect an announcement of our upgrade schedule shortly.
You can read more about the new 1.6.1 and 1.7.0 releases, and their security fixes, on Elastic’s release announcement.