If you configure Elasticsearch for access from a remote host, arbitrary code can execute. You can prevent this vulnerability.
The default configuration in the version of Elasticsearch used in this release enables dynamic scripting, which potentially allows for execution of arbitrary code. While we ship Elasticsearch configured for access from the local host only, it is best to disable the dynamic scripting feature, which this product does not use: add the line
script.disable_dynamic: true to the
conf/elasticsearch/elasticsearch.yml file and restart the elastic-search service. To restart the service on Linux, use the command
./sm_service start smarts-elasticsearch.