Root Compromise Vulnerability in instances running ElasticSearch

We are recently observing a spike in root compromise of instances running ElasticSearch and getting affected by the issues explained in the link here. This is a new vulnerability which is not yet documented.

For the moment, we have following recommendations specific to ES which should be reviewed and implemented as soon as possible:
1. Upgrade ES to the latest version
2. Never run ES as root user
3. Never allow ES to be publicly accessible
4. If you’re running an older version, you want to add this to your config/elasticsearch.yaml:
script.disable_dynamic: true

For more information, please check ElasticSearch documentation links 1 and 2.

Update: For E2E managed clients with known ES installation, we are proactively reaching out with security advice. If you are an unmanaged client running ES on your server, please send an email to and we will help you with the recommendations.