A username disclosure flaw was found in Elasticsearch’s API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm. References: https://discuss.elastic.co/t/elastic-stack-6-8-4-security-update/204908
Created elasticsearch tracking bugs for this issue: Affects: fedora-all [bug 1764752]
OpenShift Container Platform does not ship the X-Pack add-on for ElasticSearch.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-7619