Bug 1696034 (CVE-2019-7611)

Summary: CVE-2019-7611 elasticsearch: Improper permission issue when attaching a new name to an index
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahardin, alazarot, anstephe, aos-bugs, bleanhar, bmontgom, bobjensen, ccoleman, chazlett, dbecker, dedgar, eparis, etirelli, ibek, java-sig-commits, jburrell, jcantril, jgoulding, jjoyce, jokerman, jschluet, jvanek, kbasil, krathod, kverlaen, lhh, lpeer, mburns, mchappel, mmagr, nstielau, pahan, paradhya, rrajasek, rsynek, rzhang, sclewis, sdaley, slinaber, sponnaga, zbyszek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: elasticsearch 5.6.15, elasticsearch 6.6.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-16 10:18:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1696035, 1732235, 1732236, 1732237, 1732238, 1732239    
Bug Blocks: 1696036    

Description Pedro Sampaio 2019-04-04 03:52:50 UTC 
A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index.

References:

https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
Comment 1 Pedro Sampaio 2019-04-04 03:53:05 UTC 
Created elasticsearch tracking bugs for this issue:

Affects: fedora-all [bug 1696035]
Comment 5 Joshua Padman 2019-05-15 23:03:30 UTC 
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 6 Sam Fowler 2019-07-23 04:55:02 UTC 
Statement:

Red Hat OpenStack Platform 8.0/9.0 Operational Tools Kibana/Elasticsearch versions do not include nor support X-Pack (8/9 versions must use the optional Shield, also not packaged); not affected.

OpenShift Container Platform (OCP) does not include X-Pack with Elasticsearch, which prevents this vulnerability from being exploited. However, versions of Elasticsearch shipped in OCP do contain the vulnerable code which could allow this vulnerability to be exploited if X-Pack was installed.
Comment 8 Paramvir jindal 2019-12-11 11:32:48 UTC 
RHDM 7.5.1 and RHPAM 7.5.1 both ships elasticsearch-5.6.1.jar and hence seems to be affected as per the description :

RHDM7.5.1/standalone/deployments/decision-central.war/WEB-INF/lib/elasticsearch-5.6.1.jar
RHPAM7.5.1/standalone/deployments/business-central.war/WEB-INF/lib/elasticsearch-5.6.1.jar
Comment 10 errata-xmlrpc 2020-03-18 14:51:50 UTC 
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2020:0895 https://access.redhat.com/errata/RHSA-2020:0895
Comment 11 errata-xmlrpc 2020-03-18 17:37:56 UTC 
This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2020:0899 https://access.redhat.com/errata/RHSA-2020:0899