Bug 1934745 (CVE-2021-22134) - CVE-2021-22134 elasticsearch: requests do not properly apply security permissions when executing a query against a recently updated document
Summary: CVE-2021-22134 elasticsearch: requests do not properly apply security permiss...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-22134
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1934748 1934747 1934749
Blocks: 1934751
TreeView+ depends on / blocked
 
Reported: 2021-03-03 18:56 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-06-24 14:22 UTC (History)
60 users (show)

Fixed In Version: elasticsearch 7.11.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in elasticsearch. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view. A mitigating factor to this flaw is an attacker must know the document ID to run the get request.
Clone Of:
Environment:
Last Closed: 2021-03-10 15:05:52 UTC
Embargoed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-03-03 18:56:53 UTC
A document disclosure flaw was found in Elasticsearch when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view. A mitigating factor to this flaw is an attacker must know the document ID to run the get request.

Reference:
https://discuss.elastic.co/t/elastic-stack-7-11-0-security-update/265835

Comment 1 Guilherme de Almeida Suckevicz 2021-03-03 18:57:27 UTC
Created python-elasticsearch tracking bugs for this issue:

Affects: epel-all [bug 1934748]
Affects: fedora-all [bug 1934749]
Affects: openstack-rdo [bug 1934747]

Comment 2 Mark Cooper 2021-03-04 03:09:31 UTC
External References:

https://discuss.elastic.co/t/elastic-stack-7-11-0-security-update/265835

Comment 3 Mark Cooper 2021-03-04 03:16:14 UTC
OpenShift Container Platform (OCP) packages elasticsearch in its openshift-logging/elasticsearch[5|6] containers. However it is v6.8.x. 

Document and Field Level Security is only in the enterprise version of Elasticsearch [1] which is not included in OpenShift.

Given this, OpenShift has been marked not affected.


[1] https://www.elastic.co/subscriptions

Comment 4 Mark Cooper 2021-03-04 03:50:20 UTC
Statement:

In Elasticsearch, Document and Field Level Security is an enterprise only feature [1]. Hence the open source version is unaffected by this vulnerability.

[1] https://www.elastic.co/subscriptions

Comment 7 Product Security DevOps Team 2021-03-10 15:05:52 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22134


Note You need to log in before you can comment on or make changes to this bug.