Bug 1987299 (CVE-2021-22144)

Summary: CVE-2021-22144 elasticsearch: uncontrolled recursion in Grok parser
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, akoufoud, alazarot, anstephe, aos-bugs, apevec, bmontgom, chazlett, dbecker, dbruno, eparis, ewolinet, fjansen, gmalinko, gvarsami, ibek, janstey, jburrell, jcantril, jcoleman, jjoyce, jochrist, jrokos, jschluet, jwendell, jwon, kverlaen, ldimaggi, lhh, lpeer, mburns, mnovotny, nstielau, nwallace, pantinor, piotr1212, pjindal, rcernich, rfreiman, rwagner, sclewis, slinaber, sponnaga, steve.traylen, tcunning, twalsh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: elasticsearch 7.13.3, elasticsearch 6.8.17 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Elasticsearch. An uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. This flaw allows a user who can submit arbitrary queries to Elasticsearch to create a malicious Grok query that crashes the Elasticsearch node. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1987301, 1987300, 1987303    
Bug Blocks: 1987302    

Description Guilherme de Almeida Suckevicz 2021-07-29 13:09:04 UTC 
In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. A user with the ability to submit arbitrary queries to Elasticsearch could create a malicious Grok query that will crash the Elasticsearch node.

Reference:
https://discuss.elastic.co/t/elasticsearch-7-13-3-and-6-8-17-security-update/278100
Comment 1 Guilherme de Almeida Suckevicz 2021-07-29 13:10:49 UTC 
Created python-elasticsearch tracking bugs for this issue:

Affects: epel-all [bug 1987301]
Affects: fedora-all [bug 1987303]
Affects: openstack-rdo [bug 1987300]
Comment 2 Jonathan Christison 2021-07-30 14:00:24 UTC 
This vulnerability is out of security support scope for the following products:

 * Red Hat JBoss Data Grid 6
 * Red Hat JBoss Fuse 6
 * Red Hat JBoss Fuse Service Works 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 5 Hardik Vyas 2021-08-05 10:27:25 UTC 
Upstream fix: https://github.com/elastic/elasticsearch/commit/eec9eefc636460fdc3132ff103581b81a5edd5d3
Comment 6 juneau 2021-08-09 15:51:30 UTC 
Marking Hosted OpenShift Clusters "notaffected" per ./#/task/1987302#comment8