Bug 1501986 (CVE-2017-12195) - CVE-2017-12195 OpenShift Enterprise 3: authentication bypass for elasticsearch with external routes
Summary: CVE-2017-12195 OpenShift Enterprise 3: authentication bypass for elasticsearc...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-12195
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1500086 1501987 1510117 1510118 1518397
Blocks: 1500758
TreeView+ depends on / blocked
 
Reported: 2017-10-13 16:10 UTC by Kurt Seifried
Modified: 2021-02-17 01:22 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An attacker with knowledge of the given name used to authenticate and access Elasticsearch can later access it without the token, bypassing authentication. This attack also requires that the Elasticsearch be configured with an external route, and the data accessed is limited to the indices.
Clone Of:
Environment:
Last Closed: 2017-12-15 04:42:30 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3188 0 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update 2017-11-29 02:34:54 UTC
Red Hat Product Errata RHSA-2017:3389 0 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Enterprise security, bug fix, and enhancement update 2017-12-07 12:09:10 UTC

Description Kurt Seifried 2017-10-13 16:10:49 UTC 
Rich Megginson of Red Hat reports:

When deploying Openshift with logging using Elasticsearch exposed as an external route it is possible for an attacker to connect to Elasticsearch without authentication.
Comment 1 Kurt Seifried 2017-10-13 16:10:54 UTC 
Acknowledgments:

Name: Rich Megginson (Red Hat)
Comment 10 Rich Megginson 2017-11-02 21:48:09 UTC 
I'm still waiting to hear if I need a separate errata for OSE 3.7, or if it is still possible to get this into 3.7.0.

I will need errata for 3.6, 3.5, and 3.4.  That means I will need bz for those releases.  There is already a 3.5 bz: https://bugzilla.redhat.com/show_bug.cgi?id=1501987

There is another bz attached to this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1500758 I cannot view this - is this a 3.6 or 3.4 bz?
Comment 18 errata-xmlrpc 2017-11-28 21:50:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.7

Via RHSA-2017:3188 https://access.redhat.com/errata/RHSA-2017:3188
Comment 21 errata-xmlrpc 2017-12-07 07:10:11 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.6
  Red Hat OpenShift Container Platform 3.5
  Red Hat OpenShift Container Platform 3.4

Via RHSA-2017:3389 https://access.redhat.com/errata/RHSA-2017:3389
Comment 22 Mark Knowles 2017-12-15 04:42:30 UTC 
Elasicsearch authentication can be bypassed when external routes are used with OpenShift Enterprise.

Upstream bug:

https://github.com/openshift/origin-aggregated-logging/pull/826
Note You need to log in before you can comment on or make changes to this bug.