Summary
Elasticsearch versions prior to 1.6.1 are vulnerable to an engineered attack on its transport protocol that enables remote code execution. This issue is related to the Groovy announcement in CVE-2015-3253.
Deployments are vulnerable even when Groovy dynamic scripting is disabled.
We have been assigned CVE-2015-5377 for this issue.
Fixed versions
Version 1.6.1 and 1.7.0 address the vulnerability.
Remediation
Users should upgrade to the 1.6.1 or 1.7.0 release.
Users that do not want to upgrade can address the vulnerability by securing the transport protocol port (default 9300) to allow access by only trusted agents.
CVSS
Overall CVSS score: 5.1
Credits
cpnrodzc7 working with HP's Zero Day Initiative (ZDI) found a similar issue with Elasticsearch.