Bug 1821240 (CVE-2020-7009) - CVE-2020-7009 elasticsearch: Generating API keys with specific steps could result in generating API key with elevated privileges
Summary: CVE-2020-7009 elasticsearch: Generating API keys with specific steps could re...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-7009
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1821241 1821242 1821243
Blocks: 1821244
TreeView+ depends on / blocked
 
Reported: 2020-04-06 11:22 UTC by Michael Kaplan
Modified: 2021-02-16 20:18 UTC (History)
43 users (show)

Fixed In Version: Elasticsearch 6.8.8, Elasticsearch 7.6.2
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-08 04:31:48 UTC
Embargoed:


Attachments (Terms of Use)

Description Michael Kaplan 2020-04-06 11:22:20 UTC
Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.

Comment 1 Michael Kaplan 2020-04-06 11:22:48 UTC
Upstream Reference:

https://discuss.elastic.co/t/elastic-stack-6-8-8-and-7-6-2-security-update/225920

Comment 2 Michael Kaplan 2020-04-06 11:22:57 UTC
Created python-elasticsearch tracking bugs for this issue:

Affects: epel-all [bug 1821242]
Affects: fedora-all [bug 1821241]
Affects: openstack-rdo [bug 1821243]

Comment 5 Summer Long 2020-04-07 01:34:25 UTC
Upstream issue: https://github.com/elastic/elasticsearch/pull/53647

Comment 10 Product Security DevOps Team 2020-04-08 04:31:48 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-7009

Comment 13 Jason Shepherd 2020-06-22 20:25:42 UTC
Statement:

OpenShift Container Platform 4.x and 3.11 use Elasticsearch 5.6 which does not have the API Keys feature.


Note You need to log in before you can comment on or make changes to this bug.