1149945 – (CVE-2014-6439) CVE-2014-6439 Elasticsearch: CSRF via insecure CORS default configuration

Bug 1149945 (CVE-2014-6439) - CVE-2014-6439 Elasticsearch: CSRF via insecure CORS default configuration

Summary: CVE-2014-6439 Elasticsearch: CSRF via insecure CORS default configuration

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2014-6439
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1149946
TreeView+	depends on / blocked

Reported:	2014-10-07 02:21 UTC by Arun Babu Neelicattu
Modified:	2021-02-17 06:08 UTC (History)
CC List:	13 users (show)
Fixed In Version:	elasticsearch 1.4.0.beta1
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-07-20 16:25:12 UTC
Embargoed:

Attachments	(Terms of Use)

Description Arun Babu Neelicattu 2014-10-07 02:21:58 UTC

It was discovered that the default configuration for cross-origin resource sharing (CORS) exposed a cross-site request forgery (CSRF) vulnerability. A remote attacker could use this flaw by providing a sepecially crafted url to a user, allowing the attacker to send requests to Elasticsearch instances on the users local network leading to data loss or compromise of these instances.

Comment 3 Arun Babu Neelicattu 2014-10-07 02:35:59 UTC

Upstream Fix:

https://github.com/elasticsearch/elasticsearch/commit/bd0eb32d9c3c3f5b6e5f8630c859cd04bdcd4e06

Comment 4 Arun Babu Neelicattu 2014-10-07 02:36:39 UTC

Upstream Issue:

https://github.com/elasticsearch/elasticsearch/issues/7151

Comment 5 Arun Babu Neelicattu 2014-10-07 02:43:24 UTC

Victims Record:

https://github.com/victims/victims-cve-db/blob/master/database/java/2014/6439.yaml

Comment 7 Kurt Seifried 2015-07-20 16:24:25 UTC

Updating the severity, for Sam 1.x elasticsearch only listens on localhost, thus local access is required. For Satellite 6.x the installation process should include firewalling it to trusted local users only. As such this only scores 3.3 instead of 5.8 on the CVSS2 scoring.

Comment 9 Kurt Seifried 2015-07-20 16:25:12 UTC

Statement:

This issue affects the versions of elasticsearch as shipped with Red Hat Satellite 6.x and Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 10 Ján Rusnačko 2015-10-23 14:45:42 UTC

Mitigation:

As provided at http://www.elasticsearch.org/community/security/,

Users should either set "http.cors.enabled" to false, or set "http.cors.allow-origin" to the value of the server that should be allowed access, such as localhost or a server hosting Kibana. Disabling CORS entirely with the former setting is more secure, but may not be suitable for all use cases.

For Satellite 6.x and Sam 1.x you can simply firewall elasticsearch to trusted users only (e.g. root, katello, foreman). For instructions on this please see:

https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.0/html-single/Installation_Guide/index.html#sect-Red_Hat_Satellite-Installation_Guide-Red_Hat_Satellite_Installation-Configuring_Red_Hat_Satellite_Manually

Comment 11 Ján Rusnačko 2015-10-23 14:46:31 UTC

I just merged the two Mitigations in comment 1 and comment 9 - marking them private.

Note You need to log in before you can comment on or make changes to this bug.