A document disclosure flaw was found in Elasticsearch when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view. A mitigating factor to this flaw is an attacker must know the document ID to run the get request. Reference: https://discuss.elastic.co/t/elastic-stack-7-11-0-security-update/265835
Created python-elasticsearch tracking bugs for this issue: Affects: epel-all [bug 1934748] Affects: fedora-all [bug 1934749] Affects: openstack-rdo [bug 1934747]
External References: https://discuss.elastic.co/t/elastic-stack-7-11-0-security-update/265835
OpenShift Container Platform (OCP) packages elasticsearch in its openshift-logging/elasticsearch[5|6] containers. However it is v6.8.x. Document and Field Level Security is only in the enterprise version of Elasticsearch [1] which is not included in OpenShift. Given this, OpenShift has been marked not affected. [1] https://www.elastic.co/subscriptions
Statement: In Elasticsearch, Document and Field Level Security is an enterprise only feature [1]. Hence the open source version is unaffected by this vulnerability. [1] https://www.elastic.co/subscriptions
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22134