Bug 1923181 (CVE-2021-22132) - CVE-2021-22132 elasticsearch: executing async search improperly stores HTTP headers leading to information disclosure
Summary: CVE-2021-22132 elasticsearch: executing async search improperly stores HTTP h...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2021-22132
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1923183 1923182 1923185
Blocks: 1923184
TreeView+ depends on / blocked
 
Reported: 2021-02-01 14:19 UTC by Marian Rehak
Modified: 2022-09-09 07:12 UTC (History)
51 users (show)

See Also:
Fixed In Version: elasticsearch 7.10.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-28 08:44:10 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:5606 0 None None None 2022-07-19 13:40:11 UTC
Red Hat Product Errata RHSA-2022:6407 0 None None None 2022-09-09 07:12:15 UTC

Description Marian Rehak 2021-02-01 14:19:49 UTC
An information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster.

Upstream Reference:

https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164

Comment 1 Marian Rehak 2021-02-01 14:20:59 UTC
Created python-elasticsearch tracking bugs for this issue:

Affects: epel-all [bug 1923183]
Affects: fedora-all [bug 1923185]
Affects: openstack-rdo [bug 1923182]

Comment 6 Przemyslaw Roguski 2021-02-04 16:55:54 UTC
Elasticsearch >=7.7.0 and < 7.10.2 are affected by this vulnerability.

upstream fix:
https://github.com/elastic/elasticsearch/pull/66294/files

Comment 8 Przemyslaw Roguski 2021-02-04 17:04:26 UTC
External References:

https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164

Comment 12 errata-xmlrpc 2022-07-19 13:40:08 UTC
This issue has been addressed in the following products:

  RHINT Camel-Q 2.7

Via RHSA-2022:5606 https://access.redhat.com/errata/RHSA-2022:5606

Comment 13 errata-xmlrpc 2022-09-09 07:12:12 UTC
This issue has been addressed in the following products:

  RHAF Camel-K 1.8

Via RHSA-2022:6407 https://access.redhat.com/errata/RHSA-2022:6407


Note You need to log in before you can comment on or make changes to this bug.