Bug 1893125 (CVE-2020-7020)

Summary: CVE-2020-7020 elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, apevec, bmontgom, chazlett, dbruno, drieden, eparis, etirelli, ggaughan, gmalinko, ibek, janstey, jburrell, jcantril, jjoyce, jochrist, jokerman, jschluet, jstastny, jwon, krathod, kverlaen, lhh, lpeer, mburns, mnovotny, nstielau, piotr1212, pjindal, rrajasek, rsynek, sclewis, sdaley, slinaber, sponnaga, steve.traylen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: elasticsearch 7.9.2, elasticsearch 6.8.13 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 08:26:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1893126, 1893127, 1893128    
Bug Blocks: 1893129    

Description Marian Rehak 2020-10-30 09:32:50 UTC 
Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.

Upstream Advisory:

https://discuss.elastic.co/t/elastic-stack-7-9-3-and-6-8-13-security-update/253033
Comment 1 Marian Rehak 2020-10-30 09:33:50 UTC 
Created python-elasticsearch tracking bugs for this issue:

Affects: epel-all [bug 1893127]
Affects: fedora-all [bug 1893128]
Affects: openstack-rdo [bug 1893126]
Comment 2 Marian Rehak 2020-10-30 09:33:57 UTC 
Created python-elasticsearch tracking bugs for this issue:

Affects: epel-all [bug 1893127]
Affects: fedora-all [bug 1893128]
Affects: openstack-rdo [bug 1893126]
Comment 5 Jonathan Christison 2020-11-02 15:19:50 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 9 Przemyslaw Roguski 2020-11-09 13:03:30 UTC 
External References:

https://discuss.elastic.co/t/elastic-stack-7-9-3-and-6-8-13-security-update/253033
https://www.elastic.co/community/security/
Comment 12 Przemyslaw Roguski 2020-11-09 15:14:21 UTC 
Upstream pr:
https://github.com/elastic/elasticsearch/pull/61621
Comment 15 errata-xmlrpc 2022-07-07 14:20:09 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.11

Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532