Bug 1758313 (CVE-2019-13416)

Summary: CVE-2019-13416 search-guard: authenticated users ignoring their roles on the remote cluster
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aos-bugs, bmontgom, eparis, jburrell, jcantril, jokerman, nstielau, sponnaga
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 10:49:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1760649, 1760650, 1760651, 1760652, 1760653, 1760654, 1760655    
Bug Blocks: 1758314    

Description Guilherme de Almeida Suckevicz 2019-10-03 20:10:13 UTC 
Search Guard versions before 24.3 had an issue when Cross Cluster Search (CCS) was enabled, authenticated users are always authorized on the local cluster ignoring their roles on the remote cluster(s).

References:
https://docs.search-guard.com/6.x-25/changelog-searchguard-6-x-24_3
https://search-guard.com/cve-advisory/
Comment 1 Jason Shepherd 2019-10-11 03:29:43 UTC 
Use of Cross Cluster Search is not supported in all versions of OpenShift.