==================================================================== CERT-Renater Note d'Information No. 2021/VULN182 _____________________________________________________________________ DATE : 26/03/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Elasticsearch versions prior to 7.11.2, 6.8.15, Kibana versions prior to 7.12.0, 6.8.15, Logstash versions prior to 7.12.0, 6.8.15. ===================================================================== https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125 _____________________________________________________________________ Elastic Stack 7.12.0 and 6.8.15 Security Update Announcements Security Announcements douglasday (Douglas Day) March 23, 2021, 5:40pm #1 Elasticsearch Suggester & Profile API information disclosure flaw (ESA-2021-06) A document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled. The suggester and profile API are normally disabled for an index when document level security is enabled on the index. Certain queries are able to enable the profiler and suggester which could lead to disclosing the existence of documents and fields the attacker should not be able to view. Affected Versions: All versions of Elasticsearch before 7.11.2 and 6.8.15. Solutions and Mitigations: Anyone using both Document and Field Level Security should upgrade to Elasticsearch version 7.11.2 or 6.8.15. There is no known workaround for this flaw. CVSSv3 - 3.1: AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N CVE ID: CVE-2021-22135 Kibana Timeout Bypass (ESA-2021-07) A flaw in Kibana’s session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected. This was caused by background polling activities unintentionally extending authenticated users sessions, preventing a user session from timing out. Affected Versions: All versions of Kibana before 7.12.0 and 6.8.15. Solutions and Mitigations: Users should update their version of Kibana to 7.12.0 or 6.8.15. CVSSv3 - 4.0: AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N CVE ID: CVE-2021-22136 Elasticsearch field disclosure flaw (ESA-2021-08) A document disclosure flaw was found in Elasticsearch when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices. Thanks to Piotr Dłubisz, Security Consultant at JN Data A/S for reporting this issue. Affected Versions: All versions of Elasticsearch before 6.8.15 and 7.11.2 Solutions and Mitigations: Anyone using Document or Field Level Security should upgrade to Elasticsearch version 7.11.2 or 6.8.15. There is no known workaround for this flaw. CVSSv3 - 2.6:AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N CVE ID: CVE-2021-22137 Logstash certificate verification bypass (ESA-2021-09) A TLS certificate validation flaw was found in the monitoring feature of Logstash. When specifying a trusted server CA certificate Logstash would not properly verify the certificate returned by the monitoring server. This could result in a man in the middle style attack against the Logstash monitoring data. Affected Versions: All versions of Logstash after 6.4.0 and before versions 6.8.15 and 7.12.0 Solutions and Mitigations: Users should update their version of Logstash to 7.12.0 or 6.8.15. CVSSv3 - 2.6:AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVE ID: CVE-2021-22138 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================