Bug 2290705 (CVE-2024-23445)

Summary: CVE-2024-23445 elasticsearch: Remote Cluster Search Cross Cluster API Key insufficient restrictions
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdettelb, eglynn, jcantril, jjoyce, jschluet, lhh, lsvaty, mburns, mgarciac, mmagr, pgrist
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Elasticsearch. If a cross-cluster API key restricts the search for a given index using the query or the field_security parameter, and the same cross-cluster API key also grants replication for the same index, the search restrictions are not enforced during cross-cluster search operations. Search results may include documents and terms that should not be returned.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2290704    

Description Rohit Keshri 2024-06-06 10:53:27 UTC 
Elasticsearch Remote Cluster Search Cross Cluster API Key insufficient
  restrictions (ESA-2024-13)

   It was identified that if a cross-cluster API key restricts search for a
   given index using the query or the field_security parameter, and the same
   cross-cluster API key also grants replication for the same index, the
   search restrictions are not enforced during cross cluster search
   operations and search results may include documents and terms that should
   not be returned.

   This issue only affects the API key based security model for remote
   clusters that was previously a beta feature and is released as GA with
   8.14.0

   We would like to thank René Kalff for bringing this issue to our
   attention.

  Affected Versions:

   Elasticsearch version on or after 8.10.0 and before 8.14.0

  Solutions and Mitigations:

   The issue is resolved in version 8.14.0.

   Severity: CVSSv3: 6.5(Medium) -
   CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

   CVE ID: CVE-2024-23445

   1 post - 1 participant

   Read full topic