Please send security vulnerability reports to security@elastic.co. This address can be used for Elasticsearch, Logstash, Kibana, Elasticsearch for Apache Hadoop, Marvel, Shield, and language integrations, and our plugins. We can accept only security issues at this address. Bug reports should be directed to the bug database of the project you're reporting it on.

If you would like to encrypt your message to us, please use our PGP key. The fingerprint is

1224 D1A5 72A7 3755 B61A 377B 14D6 5EE0 D2AE 61D2

The key is available from pgp.mit.edu; search for elasticsearch.

Submitting an Issue

When we receive an issue we will evaluate it and, if we agree it is a vulnerability, we'll work to fix it and release the fix in a timeframe that matches the severity.

Let us know if you would like credit for discovering the issue. We can cite you as the discoverer if we weren't previously aware of the issue.

Previously Announced Vulnerabilities

Logstash

CVE Link Vulnerability Summary Remediation Summary
CVE Requested Prior to version 2.1.2, the CSV output can be attacked via engineered input that will create malicious formulas in the CSV data. Users that currently use Logstash CSV output plugin or may want to use it in the future should upgrade to 2.2.0 or 2.1.2.
CVE-2015-5619 All Logstash versions prior to 1.5.3 that use Lumberjack output is vulnerable to this man in the middle attack. Please note that Logstash Forwarder is not affected by this. Users should upgrade to 1.5.4 or 1.4.5. Users that do not want to upgrade can address the vulnerability by disabling the Lumberjack output.
CVE-2015-5378 All Logstash versions prior to 1.5.2 that use Lumberjack input (in combination with Logstash Forwarder agent) are vulnerable to a SSL/TLS security issue called the FREAK attack. This allows an attacker to intercept communication and access secure data. Users should upgrade to 1.5.3 or 1.4.4. Users that do not want to upgrade can address the vulnerability by disabling the Lumberjack input.
CVE-2015-4152 All Logstash versions prior to 1.4.3 that use the file output plugin are vulnerable to a directory traversal attack that allows an attacker to write files as the Logstash user. Users should upgrade to 1.4.3 or 1.5.0  Users that do not want to upgrade can address the vulnerability by disabling the file output plugin.
CVE-2014-4326 Logstash 1.4.1 and prior, when configured to use the Zabbix or Nagios outputs, allows an attacker with access to send crafted events to Logstash inputs to cause Logstash to execute OS commands. Upgrade to Logstash 1.4.2 or later, or disable the Zabbix and Nagios outputs.

Elasticsearch

CVE Link Vulnerability Summary Remediation Summary
CVE-2015-5531 Elasticsearch versions from 1.0.0 to 1.6.0 are vulnerable to a directory traversal attack. Users should upgrade to 1.6.1 or later, or constrain access to the snapshot API to trusted sources.
CVE-2015-5377 Elasticsearch versions prior to 1.6.1 are vulnerable to an attack that can result in remote code execution. Users should upgrade to 1.6.1 or 1.7.0. Alternately, ensure that only trusted applications have access to the transport protocol port.
CVE-2015-4165 All Elasticsearch versions from 1.0.0 to 1.5.2 are vulnerable to an attack that uses Elasticsearch to modify files read and executed by certain other applications. Users should upgrade to 1.6.0. Alternately, ensure that other applications are not present on the system, or that Elasticsearch cannot write into areas where these applications would read.
CVE-2015-3337 All Elasticsearch versions prior to 1.5.2 and 1.4.5 are vulnerable to a directory traversal attack that allows an attacker to retrieve files from the server running Elasticsearch when one or more site plugins are installed, or when Windows is the server OS. Users should upgrade to 1.4.5 or 1.5.2. Users that do not want to upgrade can address the vulnerability by disabling site plugins. See the CVE description for additional options.
CVE-2015-1427 Elasticsearch versions 1.3.0-1.3.7 and 1.4.0-1.4.2 have vulnerabilities in the Groovy scripting engine that were introduced in 1.3.0. The vulnerability allows an attacker to construct Groovy scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM. Users should upgrade to 1.3.8 or 1.4.3. Users that do not want to upgrade can address the vulnerability by setting script.groovy.sandbox.enabled to false in elasticsearch.yml and restarting the node.
CVE-2014-6439 Elasticsearch versions 1.3.x and prior have a default configuration for CORS that allows an attacker to craft links that could cause a user's browser to send requests to Elasticsearch instances on their local network. These requests could cause data loss or compromise. Users should either set "http.cors.enabled" to false, or set "http.cors.allow-origin" to the value of the server that should be allowed access, such as localhost or a server hosting Kibana. Disabling CORS entirely with the former setting is more secure, but may not be suitable for all use cases.
CVE-2014-3120 In Elasticsearch versions 1.1.x and prior, dynamic scripting is enabled by default. This could allow an attacker to execute OS commands. Disable dynamic scripting.

Kibana

CVE Link Vulnerability Summary Remediation Summary
CVE-2015-8131 Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a CSRF attack. Users should upgrade to 4.1.3 or 4.2.1.
CVE-2015-4093 Kibana versions 4.0.0, 4.0.1 and 4.0.2 are vulnerable to a cross-site scripting attack. Users should upgrade to 4.0.3.