Bug 1985039 (CVE-2021-22145) - CVE-2021-22145 elasticsearch: memory disclosure in error reporting
Summary: CVE-2021-22145 elasticsearch: memory disclosure in error reporting
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-22145
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1985045 1985044 1985046 1985932
Blocks: 1985040
TreeView+ depends on / blocked
 
Reported: 2021-07-22 17:15 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-09-01 00:42 UTC (History)
65 users (show)

Fixed In Version: elasticsearch 7.13.4
Doc Type: If docs needed, set a value
Doc Text:
A memory disclosure flaw was found in Elasticsearch’s error reporting. A user who can submit arbitrary queries to Elasticsearch could submit a malformed query that results in an error message returned that contains previously used portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-10-28 08:58:48 UTC
Embargoed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-07-22 17:15:12 UTC
A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing previously used portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details.

Reference:
https://discuss.elastic.co/t/elasticsearch-7-13-4-security-update/279177

Comment 1 Guilherme de Almeida Suckevicz 2021-07-22 17:18:38 UTC
Created python-elasticsearch tracking bugs for this issue:

Affects: epel-all [bug 1985045]
Affects: fedora-all [bug 1985046]
Affects: openstack-rdo [bug 1985044]


Note You need to log in before you can comment on or make changes to this bug.