All Products
Document Center

[Vulnerability notice] Elasticsearch Groovy command execution vulnerability

Last Updated: Apr 02, 2018

Vulnerability description

The default dynamic script feature of Elasticsearch cannot properly filter inputs submitted by users. Attackers can exploit this vulnerability to submit a specially crafted HTTP request and run arbitrary code with root privileges.

Attackers can use root privileges to run arbitrary commands, upload the Trojan program, and take control of the server.

How to fix

Upgrade Elasticsearch to the latest version.