In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. A user with the ability to submit arbitrary queries to Elasticsearch could create a malicious Grok query that will crash the Elasticsearch node. Reference: https://discuss.elastic.co/t/elasticsearch-7-13-3-and-6-8-17-security-update/278100
Created python-elasticsearch tracking bugs for this issue: Affects: epel-all [bug 1987301] Affects: fedora-all [bug 1987303] Affects: openstack-rdo [bug 1987300]
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Data Grid 6 * Red Hat JBoss Fuse 6 * Red Hat JBoss Fuse Service Works 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Upstream fix: https://github.com/elastic/elasticsearch/commit/eec9eefc636460fdc3132ff103581b81a5edd5d3
Marking Hosted OpenShift Clusters "notaffected" per ./#/task/1987302#comment8