A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index.
Created elasticsearch tracking bugs for this issue:
Affects: fedora-all [bug 1696035]
This vulnerability is out of security support scope for the following product:
* Red Hat JBoss Fuse 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Red Hat OpenStack Platform 8.0/9.0 Operational Tools Kibana/Elasticsearch versions do not include nor support X-Pack (8/9 versions must use the optional Shield, also not packaged); not affected.
OpenShift Container Platform (OCP) does not include X-Pack with Elasticsearch, which prevents this vulnerability from being exploited. However, versions of Elasticsearch shipped in OCP do contain the vulnerable code which could allow this vulnerability to be exploited if X-Pack was installed.
RHDM 7.5.1 and RHPAM 7.5.1 both ships elasticsearch-5.6.1.jar and hence seems to be affected as per the description :