[Bug 1696034] New: CVE-2019-7611 elasticsearch: Improper permission issue when attaching a new name to an index
https://bugzilla.redhat.com/show_bug.cgi?id=1696034
Bug ID: 1696034 Summary: CVE-2019-7611 elasticsearch: Improper permission issue when attaching a new name to an index Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=moderate,public=20190219,reported=20190219,sour ce=cve,cvss3=6.8/CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/ I:H/A:N,cwe=CWE-285,openshift-enterprise-3.11/elastics earch=new,openshift-enterprise-3.10/elasticsearch=new, openshift-enterprise-3.9/elasticsearch=new,openshift-e nterprise-3.7/elasticsearch=new,openshift-enterprise-3 .6/elasticsearch=new,openshift-enterprise-3.1/elastics earch=new,openshift-enterprise-3.0/elasticsearch=new,o penstack-8-optools/elasticsearch=new,openshift-enterpr ise-3.5/elasticsearch=new,openshift-enterprise-3.4/ela sticsearch=new,openshift-enterprise-3.3/elasticsearch= new,openshift-enterprise-3.2/elasticsearch=new,opensta ck-9-optools/elasticsearch=new,fedora-all/elasticsearc h=affected,sam-1/elasticsearch=new,fuse-7/elasticsearc h=new,rhdm-7/elasticsearch=new,fuse-6/elasticsearch=ne w,rhpam-7/elasticsearch=new Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: psampaio@redhat.com CC: ahardin@redhat.com, alazarot@redhat.com, anstephe@redhat.com, bkearney@redhat.com, bleanhar@redhat.com, bobjensen@gmail.com, cbillett@redhat.com, ccoleman@redhat.com, chazlett@redhat.com, dbecker@redhat.com, dedgar@redhat.com, emmanuel@seyman.fr, eparis@redhat.com, etirelli@redhat.com, ibek@redhat.com, java-sig-commits@lists.fedoraproject.org, jgoulding@redhat.com, jjoyce@redhat.com, jokerman@redhat.com, jschluet@redhat.com, jvanek@redhat.com, kbasil@redhat.com, krathod@redhat.com, kverlaen@redhat.com, lhh@redhat.com, lpeer@redhat.com, lpetrovi@redhat.com, mburns@redhat.com, mchappel@redhat.com, mmagr@redhat.com, pahan@hubbitus.info, paradhya@redhat.com, rrajasek@redhat.com, rsynek@redhat.com, rzhang@redhat.com, sclewis@redhat.com, sdaley@redhat.com, slinaber@redhat.com, tomckay@redhat.com, zbyszek@in.waw.pl Target Milestone: --- Classification: Other
A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index.
References:
https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/...
https://bugzilla.redhat.com/show_bug.cgi?id=1696034
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1696035
--- Comment #1 from Pedro Sampaio psampaio@redhat.com --- Created elasticsearch tracking bugs for this issue:
Affects: fedora-all [bug 1696035]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1696035 [Bug 1696035] CVE-2019-7611 elasticsearch: Improper permission issue when attaching a new name to an index [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1696034
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1696036
https://bugzilla.redhat.com/show_bug.cgi?id=1696034
Summer Long slong@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2019 |impact=moderate,public=2019 |0219,reported=20190219,sour |0219,reported=20190219,sour |ce=cve,cvss3=6.8/CVSS:3.0/A |ce=cve,cvss3=6.8/CVSS:3.0/A |V:N/AC:H/PR:L/UI:N/S:U/C:H/ |V:N/AC:H/PR:L/UI:N/S:U/C:H/ |I:H/A:N,cwe=CWE-285,openshi |I:H/A:N,cwe=CWE-285,openshi |ft-enterprise-3.11/elastics |ft-enterprise-3.11/elastics |earch=new,openshift-enterpr |earch=new,openshift-enterpr |ise-3.10/elasticsearch=new, |ise-3.10/elasticsearch=new, |openshift-enterprise-3.9/el |openshift-enterprise-3.9/el |asticsearch=new,openshift-e |asticsearch=new,openshift-e |nterprise-3.7/elasticsearch |nterprise-3.7/elasticsearch |=new,openshift-enterprise-3 |=new,openshift-enterprise-3 |.6/elasticsearch=new,opensh |.6/elasticsearch=new,opensh |ift-enterprise-3.1/elastics |ift-enterprise-3.1/elastics |earch=new,openshift-enterpr |earch=new,openshift-enterpr |ise-3.0/elasticsearch=new,o |ise-3.0/elasticsearch=new,o |penstack-8-optools/elastics |penstack-8-optools/elastics |earch=new,openshift-enterpr |earch=notaffected,openshift |ise-3.5/elasticsearch=new,o |-enterprise-3.5/elasticsear |penshift-enterprise-3.4/ela |ch=new,openshift-enterprise |sticsearch=new,openshift-en |-3.4/elasticsearch=new,open |terprise-3.3/elasticsearch= |shift-enterprise-3.3/elasti |new,openshift-enterprise-3. |csearch=new,openshift-enter |2/elasticsearch=new,opensta |prise-3.2/elasticsearch=new |ck-9-optools/elasticsearch= |,openstack-9-optools/elasti |new,fedora-all/elasticsearc |csearch=notaffected,fedora- |h=affected,sam-1/elasticsea |all/elasticsearch=affected, |rch=new,fuse-7/elasticsearc |sam-1/elasticsearch=new,fus |h=new,rhdm-7/elasticsearch= |e-7/elasticsearch=new,rhdm- |new,fuse-6/elasticsearch=ne |7/elasticsearch=new,fuse-6/ |w,rhpam-7/elasticsearch=new |elasticsearch=new,rhpam-7/e | |lasticsearch=new
https://bugzilla.redhat.com/show_bug.cgi?id=1696034
--- Comment #2 from Summer Long slong@redhat.com --- Statement:
Red Hat OpenStack Platform 8.0/9.0 Operational Tools for RHEL 7, which include Elasticsearch, do not include nor support the optional X-Pack for security and are therefore not affected. (These versions must to use the optional Shield, also not included.)
https://bugzilla.redhat.com/show_bug.cgi?id=1696034
--- Comment #3 from Summer Long slong@redhat.com --- Statement:
Red Hat OpenStack Platform 8.0/9.0 Operational Tools for RHEL 7, which include Elasticsearch, do not include nor support the optional X-Pack for security and are therefore not affected. (These versions must use the optional Shield, also not included.)
https://bugzilla.redhat.com/show_bug.cgi?id=1696034
--- Comment #4 from Summer Long slong@redhat.com --- Statement:
Red Hat OpenStack Platform 8.0/9.0 Operational Tools Kibana/Elasticsearch versions do not include nor support X-Pack (8/9 versions must use the optional Shield, also not packaged); not affected.
https://bugzilla.redhat.com/show_bug.cgi?id=1696034
--- Comment #5 from Joshua Padman jpadman@redhat.com --- This vulnerability is out of security support scope for the following product: * Red Hat JBoss Fuse 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=1696034
Cedric Buissart 🐶 cbuissar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC|bkearney@redhat.com, | |cbillett@redhat.com, | |tomckay@redhat.com | Whiteboard|impact=moderate,public=2019 |impact=moderate,public=2019 |0219,reported=20190219,sour |0219,reported=20190219,sour |ce=cve,cvss3=6.8/CVSS:3.0/A |ce=cve,cvss3=6.8/CVSS:3.0/A |V:N/AC:H/PR:L/UI:N/S:U/C:H/ |V:N/AC:H/PR:L/UI:N/S:U/C:H/ |I:H/A:N,cwe=CWE-285,openshi |I:H/A:N,cwe=CWE-285,openshi |ft-enterprise-3.11/elastics |ft-enterprise-3.11/elastics |earch=new,openshift-enterpr |earch=new,openshift-enterpr |ise-3.10/elasticsearch=new, |ise-3.10/elasticsearch=new, |openshift-enterprise-3.9/el |openshift-enterprise-3.9/el |asticsearch=new,openshift-e |asticsearch=new,openshift-e |nterprise-3.7/elasticsearch |nterprise-3.7/elasticsearch |=new,openshift-enterprise-3 |=new,openshift-enterprise-3 |.6/elasticsearch=new,opensh |.6/elasticsearch=new,opensh |ift-enterprise-3.1/elastics |ift-enterprise-3.1/elastics |earch=new,openshift-enterpr |earch=new,openshift-enterpr |ise-3.0/elasticsearch=new,o |ise-3.0/elasticsearch=new,o |penstack-8-optools/elastics |penstack-8-optools/elastics |earch=notaffected,openshift |earch=notaffected,openshift |-enterprise-3.5/elasticsear |-enterprise-3.5/elasticsear |ch=new,openshift-enterprise |ch=new,openshift-enterprise |-3.4/elasticsearch=new,open |-3.4/elasticsearch=new,open |shift-enterprise-3.3/elasti |shift-enterprise-3.3/elasti |csearch=new,openshift-enter |csearch=new,openshift-enter |prise-3.2/elasticsearch=new |prise-3.2/elasticsearch=new |,openstack-9-optools/elasti |,openstack-9-optools/elasti |csearch=notaffected,fedora- |csearch=notaffected,fedora- |all/elasticsearch=affected, |all/elasticsearch=affected, |sam-1/elasticsearch=new,fus |fuse-7/elasticsearch=new,rh |e-7/elasticsearch=new,rhdm- |dm-7/elasticsearch=new,fuse |7/elasticsearch=new,fuse-6/ |-6/elasticsearch=new,rhpam- |elasticsearch=new,rhpam-7/e |7/elasticsearch=new |lasticsearch=new |
https://bugzilla.redhat.com/show_bug.cgi?id=1696034
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2019 |impact=moderate,public=2019 |0219,reported=20190219,sour |0219,reported=20190219,sour |ce=cve,cvss3=6.8/CVSS:3.0/A |ce=cve,cvss3=6.8/CVSS:3.0/A |V:N/AC:H/PR:L/UI:N/S:U/C:H/ |V:N/AC:H/PR:L/UI:N/S:U/C:H/ |I:H/A:N,cwe=CWE-285,openshi |I:H/A:N,cwe=CWE-285,openshi |ft-enterprise-3.11/elastics |ft-enterprise-3.11/elastics |earch=new,openshift-enterpr |earch=new,openshift-enterpr |ise-3.10/elasticsearch=new, |ise-3.10/elasticsearch=new, |openshift-enterprise-3.9/el |openshift-enterprise-3.9/el |asticsearch=new,openshift-e |asticsearch=new,openshift-e |nterprise-3.7/elasticsearch |nterprise-3.7/elasticsearch |=new,openshift-enterprise-3 |=new,openshift-enterprise-3 |.6/elasticsearch=new,opensh |.6/elasticsearch=new,opensh |ift-enterprise-3.1/elastics |ift-enterprise-3.1/elastics |earch=new,openshift-enterpr |earch=new,openstack-8-optoo |ise-3.0/elasticsearch=new,o |ls/elasticsearch=notaffecte |penstack-8-optools/elastics |d,openshift-enterprise-3.5/ |earch=notaffected,openshift |elasticsearch=new,openshift |-enterprise-3.5/elasticsear |-enterprise-3.4/elasticsear |ch=new,openshift-enterprise |ch=new,openshift-enterprise |-3.4/elasticsearch=new,open |-3.3/elasticsearch=new,open |shift-enterprise-3.3/elasti |shift-enterprise-3.2/elasti |csearch=new,openshift-enter |csearch=new,openstack-9-opt |prise-3.2/elasticsearch=new |ools/elasticsearch=notaffec |,openstack-9-optools/elasti |ted,fedora-all/elasticsearc |csearch=notaffected,fedora- |h=affected,fuse-7/elasticse |all/elasticsearch=affected, |arch=new,rhdm-7/elasticsear |fuse-7/elasticsearch=new,rh |ch=new,fuse-6/elasticsearch |dm-7/elasticsearch=new,fuse |=new,rhpam-7/elasticsearch= |-6/elasticsearch=new,rhpam- |new |7/elasticsearch=new |
https://bugzilla.redhat.com/show_bug.cgi?id=1696034
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2019 |impact=moderate,public=2019 |0219,reported=20190219,sour |0219,reported=20190219,sour |ce=cve,cvss3=6.8/CVSS:3.0/A |ce=cve,cvss3=6.8/CVSS:3.0/A |V:N/AC:H/PR:L/UI:N/S:U/C:H/ |V:N/AC:H/PR:L/UI:N/S:U/C:H/ |I:H/A:N,cwe=CWE-285,openshi |I:H/A:N,cwe=CWE-285,openshi |ft-enterprise-3.11/elastics |ft-enterprise-3.11/logging- |earch=new,openshift-enterpr |elasticsearch5-container=ne |ise-3.10/elasticsearch=new, |w,openshift-enterprise-3.10 |openshift-enterprise-3.9/el |/elasticsearch=new,openshif |asticsearch=new,openshift-e |t-enterprise-3.9/elasticsea |nterprise-3.7/elasticsearch |rch=new,openshift-enterpris |=new,openshift-enterprise-3 |e-3.7/elasticsearch=new,ope |.6/elasticsearch=new,opensh |nshift-enterprise-3.6/elast |ift-enterprise-3.1/elastics |icsearch=new,openshift-ente |earch=new,openstack-8-optoo |rprise-3.1/elasticsearch=ne |ls/elasticsearch=notaffecte |w,openstack-8-optools/elast |d,openshift-enterprise-3.5/ |icsearch=notaffected,opensh |elasticsearch=new,openshift |ift-enterprise-3.5/elastics |-enterprise-3.4/elasticsear |earch=new,openshift-enterpr |ch=new,openshift-enterprise |ise-3.4/elasticsearch=new,o |-3.3/elasticsearch=new,open |penshift-enterprise-3.3/ela |shift-enterprise-3.2/elasti |sticsearch=new,openshift-en |csearch=new,openstack-9-opt |terprise-3.2/elasticsearch= |ools/elasticsearch=notaffec |new,openstack-9-optools/ela |ted,fedora-all/elasticsearc |sticsearch=notaffected,fedo |h=affected,fuse-7/elasticse |ra-all/elasticsearch=affect |arch=new,rhdm-7/elasticsear |ed,fuse-7/elasticsearch=new |ch=new,fuse-6/elasticsearch |,rhdm-7/elasticsearch=new,f |=new,rhpam-7/elasticsearch= |use-6/elasticsearch=new,rhp |new |am-7/elasticsearch=new,open | |shift-enterprise-4.1/loggin | |g-elasticsearch5-container= | |new,openshift-4.2/logging-e | |lasticsearch5-container=new
https://bugzilla.redhat.com/show_bug.cgi?id=1696034
--- Comment #6 from Sam Fowler sfowler@redhat.com --- Statement:
Red Hat OpenStack Platform 8.0/9.0 Operational Tools Kibana/Elasticsearch versions do not include nor support X-Pack (8/9 versions must use the optional Shield, also not packaged); not affected.
OpenShift Container Platform (OCP) does not include X-Pack with Elasticsearch, which prevents this vulnerability from being exploited. However, versions of Elasticsearch shipped in OCP do contain the vulnerable code which could allow this vulnerability to be exploited if X-Pack was installed.
https://bugzilla.redhat.com/show_bug.cgi?id=1696034
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2019 |impact=moderate,public=2019 |0219,reported=20190219,sour |0219,reported=20190219,sour |ce=cve,cvss3=6.8/CVSS:3.0/A |ce=cve,cvss3=6.8/CVSS:3.0/A |V:N/AC:H/PR:L/UI:N/S:U/C:H/ |V:N/AC:H/PR:L/UI:N/S:U/C:H/ |I:H/A:N,cwe=CWE-285,openshi |I:H/A:N,cwe=CWE-285,openshi |ft-enterprise-3.11/logging- |ft-enterprise-3.11/logging- |elasticsearch5-container=ne |elasticsearch5-container=af |w,openshift-enterprise-3.10 |fected,openshift-enterprise |/elasticsearch=new,openshif |-3.10/elasticsearch=affecte |t-enterprise-3.9/elasticsea |d,openshift-enterprise-3.9/ |rch=new,openshift-enterpris |elasticsearch=affected,open |e-3.7/elasticsearch=new,ope |shift-enterprise-3.7/elasti |nshift-enterprise-3.6/elast |csearch=new,openshift-enter |icsearch=new,openshift-ente |prise-3.6/elasticsearch=new |rprise-3.1/elasticsearch=ne |,openshift-enterprise-3.1/e |w,openstack-8-optools/elast |lasticsearch=new,openstack- |icsearch=notaffected,opensh |8-optools/elasticsearch=not |ift-enterprise-3.5/elastics |affected,openshift-enterpri |earch=new,openshift-enterpr |se-3.5/elasticsearch=new,op |ise-3.4/elasticsearch=new,o |enshift-enterprise-3.4/elas |penshift-enterprise-3.3/ela |ticsearch=new,openshift-ent |sticsearch=new,openshift-en |erprise-3.3/elasticsearch=n |terprise-3.2/elasticsearch= |ew,openshift-enterprise-3.2 |new,openstack-9-optools/ela |/elasticsearch=new,openstac |sticsearch=notaffected,fedo |k-9-optools/elasticsearch=n |ra-all/elasticsearch=affect |otaffected,fedora-all/elast |ed,fuse-7/elasticsearch=new |icsearch=affected,fuse-7/el |,rhdm-7/elasticsearch=new,f |asticsearch=new,rhdm-7/elas |use-6/elasticsearch=new,rhp |ticsearch=new,fuse-6/elasti |am-7/elasticsearch=new,open |csearch=new,rhpam-7/elastic |shift-enterprise-4.1/loggin |search=new,openshift-enterp |g-elasticsearch5-container= |rise-4.1/logging-elasticsea |new,openshift-4.2/logging-e |rch5-container=affected,ope |lasticsearch5-container=new |nshift-4.2/logging-elastics | |earch5-container=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1696034
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1732237, 1732238, 1732239, | |1732236, 1732235
https://bugzilla.redhat.com/show_bug.cgi?id=1696034 Bug 1696034 depends on bug 1696035, which changed state.
Bug 1696035 Summary: CVE-2019-7611 elasticsearch: Improper permission issue when attaching a new name to an index [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1696035
What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution|--- |EOL
https://bugzilla.redhat.com/show_bug.cgi?id=1696034
--- Comment #8 from Paramvir jindal pjindal@redhat.com --- RHDM 7.5.1 and RHPAM 7.5.1 both ships elasticsearch-5.6.1.jar and hence seems to be affected as per the description :
RHDM7.5.1/standalone/deployments/decision-central.war/WEB-INF/lib/elasticsearch-5.6.1.jar RHPAM7.5.1/standalone/deployments/business-central.war/WEB-INF/lib/elasticsearch-5.6.1.jar
https://bugzilla.redhat.com/show_bug.cgi?id=1696034
Paramvir jindal pjindal@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2020-03-16 10:18:54
https://bugzilla.redhat.com/show_bug.cgi?id=1696034
--- Comment #10 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Process Automation
Via RHSA-2020:0895 https://access.redhat.com/errata/RHSA-2020:0895
https://bugzilla.redhat.com/show_bug.cgi?id=1696034
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0895
https://bugzilla.redhat.com/show_bug.cgi?id=1696034
--- Comment #11 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Decision Manager
Via RHSA-2020:0899 https://access.redhat.com/errata/RHSA-2020:0899
https://bugzilla.redhat.com/show_bug.cgi?id=1696034
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0899
java-sig-commits@lists.fedoraproject.org
-
bugzilla@redhat.com