Source: elasticsearch
Severity: grave
Tags: security upstream fixed-upstream

Hi Hilko,

I see elasticsearch entered unstable now. Some time ago the following
vulnerability was published for elasticsearch.

| The default configuration in Elasticsearch before 1.2 enables dynamic
| scripting, which allows remote attackers to execute arbitrary MVEL
| expressions and Java code via the source parameter to _search.  NOTE:
| this only violates the vendor's intended security policy if the user
| does not run Elasticsearch in its own independent virtual machine.

If I understand it correctly, the value or this defaults to false,
more references are in Red Hat's Bugzilla[1]. Could you check
elasticsearch for this?

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:



This is the maintainer address of Debian's Java team
Please use for discussions and questions.

Reply via email to