Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details. References: https://discuss.elastic.co/t/elastic-stack-6-4-1-and-5-6-12-security-update/149035 https://www.elastic.co/community/security
Created elasticsearch tracking bugs for this issue: Affects: fedora-all [bug 1632454]
Created elasticsearch tracking bugs for this issue: Affects: fedora-all [bug 1632971]
OpenShift uses Search Guard [1] to protect the affected the _cluster/settings endpoint with certificate based authentication. Therefore none of the OpenShift 3.x versions are affected. [1] https://docs.search-guard.com/latest/index
Statement: Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact Moderate, and is not currently planned to be addressed in future updates.
This vulnerability is out of security support scope for the following product: * Red Hat JBoss Fuse 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This issue has been addressed in the following products: Red Hat Fuse 7.7.0 Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-3831