Bug 1696034 (CVE-2019-7611)
Summary: | CVE-2019-7611 elasticsearch: Improper permission issue when attaching a new name to an index | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | ahardin, alazarot, anstephe, aos-bugs, bleanhar, bmontgom, bobjensen, ccoleman, chazlett, dbecker, dedgar, eparis, etirelli, ibek, java-sig-commits, jburrell, jcantril, jgoulding, jjoyce, jokerman, jschluet, jvanek, kbasil, krathod, kverlaen, lhh, lpeer, mburns, mchappel, mmagr, nstielau, pahan, paradhya, rrajasek, rsynek, rzhang, sclewis, sdaley, slinaber, sponnaga, zbyszek |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | elasticsearch 5.6.15, elasticsearch 6.6.1 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-03-16 10:18:54 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1696035, 1732235, 1732236, 1732237, 1732238, 1732239 | ||
Bug Blocks: | 1696036 |
Description
Pedro Sampaio
2019-04-04 03:52:50 UTC
Created elasticsearch tracking bugs for this issue: Affects: fedora-all [bug 1696035] This vulnerability is out of security support scope for the following product: * Red Hat JBoss Fuse 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. Statement: Red Hat OpenStack Platform 8.0/9.0 Operational Tools Kibana/Elasticsearch versions do not include nor support X-Pack (8/9 versions must use the optional Shield, also not packaged); not affected. OpenShift Container Platform (OCP) does not include X-Pack with Elasticsearch, which prevents this vulnerability from being exploited. However, versions of Elasticsearch shipped in OCP do contain the vulnerable code which could allow this vulnerability to be exploited if X-Pack was installed. RHDM 7.5.1 and RHPAM 7.5.1 both ships elasticsearch-5.6.1.jar and hence seems to be affected as per the description : RHDM7.5.1/standalone/deployments/decision-central.war/WEB-INF/lib/elasticsearch-5.6.1.jar RHPAM7.5.1/standalone/deployments/business-central.war/WEB-INF/lib/elasticsearch-5.6.1.jar This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2020:0895 https://access.redhat.com/errata/RHSA-2020:0895 This issue has been addressed in the following products: Red Hat Decision Manager Via RHSA-2020:0899 https://access.redhat.com/errata/RHSA-2020:0899 |