Bug 1923181 (CVE-2021-22132)

Summary: CVE-2021-22132 elasticsearch: executing async search improperly stores HTTP headers leading to information disclosure
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, apevec, bibryam, bmontgom, chazlett, dbruno, dramseur, drieden, eparis, etirelli, ganandan, ggaughan, gmalinko, hbraun, ibek, janstey, jburrell, jcantril, jhunter, jjoyce, jnethert, jochrist, jokerman, jschluet, jstastny, jwon, kmitts, krathod, kverlaen, lhh, lpeer, mburns, mgala, mjudeiki, mnovotny, nstielau, pantinor, piotr1212, pjindal, rrajasek, rsynek, sclewis, sdaley, slinaber, sponnaga, steve.traylen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
See Also: https://issues.redhat.com/browse/ENTESB-15687
https://issues.redhat.com/browse/ENTESB-15688
https://issues.redhat.com/browse/RHPAM-3441
https://issues.redhat.com/browse/RHDM-1593
Whiteboard:
Fixed In Version: elasticsearch 7.10.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 08:44:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1923183, 1923182, 1923185    
Bug Blocks: 1923184    

Description Marian Rehak 2021-02-01 14:19:49 UTC 
An information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster.

Upstream Reference:

https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164
Comment 1 Marian Rehak 2021-02-01 14:20:59 UTC 
Created python-elasticsearch tracking bugs for this issue:

Affects: epel-all [bug 1923183]
Affects: fedora-all [bug 1923185]
Affects: openstack-rdo [bug 1923182]
Comment 6 Przemyslaw Roguski 2021-02-04 16:55:54 UTC 
Elasticsearch >=7.7.0 and < 7.10.2 are affected by this vulnerability.

upstream fix:
https://github.com/elastic/elasticsearch/pull/66294/files
Comment 8 Przemyslaw Roguski 2021-02-04 17:04:26 UTC 
External References:

https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164
Comment 12 errata-xmlrpc 2022-07-19 13:40:08 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Q 2.7

Via RHSA-2022:5606 https://access.redhat.com/errata/RHSA-2022:5606
Comment 13 errata-xmlrpc 2022-09-09 07:12:12 UTC 
This issue has been addressed in the following products:

  RHAF Camel-K 1.8

Via RHSA-2022:6407 https://access.redhat.com/errata/RHSA-2022:6407