Bug 1696034 (CVE-2019-7611) - CVE-2019-7611 elasticsearch: Improper permission issue when attaching a new name to an index
Summary: CVE-2019-7611 elasticsearch: Improper permission issue when attaching a new n...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-7611
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1696035 1732235 1732236 1732237 1732238 1732239
Blocks: 1696036
TreeView+ depends on / blocked
 
Reported: 2019-04-04 03:52 UTC by Pedro Sampaio
Modified: 2021-02-16 22:08 UTC (History)
41 users (show)

Fixed In Version: elasticsearch 5.6.15, elasticsearch 6.6.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-16 10:18:54 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:0895 0 None None None 2020-03-18 14:51:53 UTC
Red Hat Product Errata RHSA-2020:0899 0 None None None 2020-03-18 17:38:01 UTC

Description Pedro Sampaio 2019-04-04 03:52:50 UTC
A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index.

References:

https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077

Comment 1 Pedro Sampaio 2019-04-04 03:53:05 UTC
Created elasticsearch tracking bugs for this issue:

Affects: fedora-all [bug 1696035]

Comment 5 Joshua Padman 2019-05-15 23:03:30 UTC
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 6 Sam Fowler 2019-07-23 04:55:02 UTC
Statement:

Red Hat OpenStack Platform 8.0/9.0 Operational Tools Kibana/Elasticsearch versions do not include nor support X-Pack (8/9 versions must use the optional Shield, also not packaged); not affected.

OpenShift Container Platform (OCP) does not include X-Pack with Elasticsearch, which prevents this vulnerability from being exploited. However, versions of Elasticsearch shipped in OCP do contain the vulnerable code which could allow this vulnerability to be exploited if X-Pack was installed.

Comment 8 Paramvir jindal 2019-12-11 11:32:48 UTC
RHDM 7.5.1 and RHPAM 7.5.1 both ships elasticsearch-5.6.1.jar and hence seems to be affected as per the description :

RHDM7.5.1/standalone/deployments/decision-central.war/WEB-INF/lib/elasticsearch-5.6.1.jar
RHPAM7.5.1/standalone/deployments/business-central.war/WEB-INF/lib/elasticsearch-5.6.1.jar

Comment 10 errata-xmlrpc 2020-03-18 14:51:50 UTC
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2020:0895 https://access.redhat.com/errata/RHSA-2020:0895

Comment 11 errata-xmlrpc 2020-03-18 17:37:56 UTC
This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2020:0899 https://access.redhat.com/errata/RHSA-2020:0899


Note You need to log in before you can comment on or make changes to this bug.