Rich Megginson of Red Hat reports: When deploying Openshift with logging using Elasticsearch exposed as an external route it is possible for an attacker to connect to Elasticsearch without authentication.
Acknowledgments: Name: Rich Megginson (Red Hat)
I'm still waiting to hear if I need a separate errata for OSE 3.7, or if it is still possible to get this into 3.7.0. I will need errata for 3.6, 3.5, and 3.4. That means I will need bz for those releases. There is already a 3.5 bz: https://bugzilla.redhat.com/show_bug.cgi?id=1501987 There is another bz attached to this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1500758 I cannot view this - is this a 3.6 or 3.4 bz?
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.7 Via RHSA-2017:3188 https://access.redhat.com/errata/RHSA-2017:3188
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.6 Red Hat OpenShift Container Platform 3.5 Red Hat OpenShift Container Platform 3.4 Via RHSA-2017:3389 https://access.redhat.com/errata/RHSA-2017:3389
Elasicsearch authentication can be bypassed when external routes are used with OpenShift Enterprise. Upstream bug: https://github.com/openshift/origin-aggregated-logging/pull/826