Security vulnerabilities when using Elasticsearch with MongoDB
Elasticsearch was used in BMC Remedy with Smart IT and BMC MyIT in conjunction with search functionality for data stored in MongoDB.
BMC advises customers about two security vulnerabilities in Elasticsearch:
- CVE-2015-1427—Elasticsearch versions 1.3.0-1.3.7 and 1.4.0-1.4.2 have vulnerabilities in the Groovy scripting engine that were introduced in 1.3.0. The vulnerability allows an attacker to construct Groovy scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM.
- CVE-2015-5377—Elasticsearch versions prior to 1.6.1 are vulnerable to an attack that can result in remote code execution.
KA433901 includes information about options for mitigating these vulnerabilities.