Bug 1934745 (CVE-2021-22134)

Summary: CVE-2021-22134 elasticsearch: requests do not properly apply security permissions when executing a query against a recently updated document
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, apevec, apevec, bdettelb, bibryam, bmontgom, chazlett, dbecker, dbruno, drieden, eparis, etirelli, ganandan, ggaughan, gmalinko, gvarsami, hbraun, ibek, janstey, jburrell, jcantril, jcoleman, jjoyce, jochrist, jokerman, jschluet, jstastny, jwon, kconner, krathod, kverlaen, ldimaggi, lhh, lpeer, mburns, mmagr, mnovotny, nstielau, nwallace, pantinor, piotr1212, pjindal, rrajasek, rsynek, rwagner, sclewis, sdaley, sd-operator-metering, slinaber, sponnaga, steve.traylen, tcunning, tflannag, tkirby, tomckay
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: elasticsearch 7.11.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in elasticsearch. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view. A mitigating factor to this flaw is an attacker must know the document ID to run the get request.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-10 15:05:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1934747, 1934748, 1934749    
Bug Blocks: 1934751    

Description Guilherme de Almeida Suckevicz 2021-03-03 18:56:53 UTC 
A document disclosure flaw was found in Elasticsearch when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view. A mitigating factor to this flaw is an attacker must know the document ID to run the get request.

Reference:
https://discuss.elastic.co/t/elastic-stack-7-11-0-security-update/265835
Comment 1 Guilherme de Almeida Suckevicz 2021-03-03 18:57:27 UTC 
Created python-elasticsearch tracking bugs for this issue:

Affects: epel-all [bug 1934748]
Affects: fedora-all [bug 1934749]
Affects: openstack-rdo [bug 1934747]
Comment 2 Mark Cooper 2021-03-04 03:09:31 UTC 
External References:

https://discuss.elastic.co/t/elastic-stack-7-11-0-security-update/265835
Comment 3 Mark Cooper 2021-03-04 03:16:14 UTC 
OpenShift Container Platform (OCP) packages elasticsearch in its openshift-logging/elasticsearch[5|6] containers. However it is v6.8.x. 

Document and Field Level Security is only in the enterprise version of Elasticsearch [1] which is not included in OpenShift.

Given this, OpenShift has been marked not affected.


[1] https://www.elastic.co/subscriptions
Comment 4 Mark Cooper 2021-03-04 03:50:20 UTC 
Statement:

In Elasticsearch, Document and Field Level Security is an enterprise only feature [1]. Hence the open source version is unaffected by this vulnerability.

[1] https://www.elastic.co/subscriptions
Comment 7 Product Security DevOps Team 2021-03-10 15:05:52 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22134