Security researchers report on a malicious campaign spreading via 6-year old remote command execution (RCE) vulnerabilities in ElasticSearch and Jenkins.
- The first flaw, tracked as CVE-2015-1427, is an RCE in Groovy scripting engine affecting ElasticSearch before 1.3.8 and 1.4.x before 1.4.3.
- The second flaw is a Jenkins script console RCE vulnerability. The CVE was misidentified in the campaign report, but is likely a CVE-2015-8103 in Jenkins before 1.638 and LTS before 1.625.2.
- Groovy, a scripting language used by default in Elasticsearch versions prior to 2.x and multiple Jenkins versions, enables dynamic scripting which makes default installations in older versions unsecure.
Why it’s important
- Threat actors often take advantage of open-source installation used in victim environment as these tools often get overlooked by IT teams and often stay unpatched.
- Use the latest version of ElasticSearch and Jenkins and follow vendor best practices for securely configuring your installations.
- Ensure your ElasticSearch and Jenkins are not default installations and do not allow users to access the data over the internet.