===================================================================== CERT-Renater Note d'Information No. 2022/VULN196 _____________________________________________________________________ DATE : 01/06/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Elasticsearch versions 6.8.x, 7.9.2 and later prior to 7.17.4, 8.2.1. ===================================================================== https://discuss.elastic.co/t/elastic-stack-7-17-4-and-8-2-1-security-update/305530 _____________________________________________________________________ Elastic Stack 7.17.4 and 8.2.1 Security Update Levine Brian LevineElastic Team Member Elastic Stack update for CVE-2022-21449 Java vulnerability in Elliptic Curve Digital Signature Algorithm (ECDSA) (ESA-2022-06) A vulnerability (CVE-2022-21449) affecting the implementation of Elliptic Curve Digital Signing Algorithm (ECDSA) based signatures verification in Java JDK versions 15 and later was published on April 19, 2022. This vulnerability affects Oracle Java and OpenJDK, including other JDKs derived from OpenJDK. Affected Products and Versions Elasticsearch 6.8.x, 7.9.2 and later may be affected by this vulnerability when Java JDK 15 or later is used with the following SSO configurations: Elasticsearch is configured for SSO with SAML and the SAML Identity Provider is using ECDSA based signatures for signing SAML messages. Elasticsearch is configured for SSO with OpenID Connect and the OpenID Provider is using ECDSA based signatures for signing OpenID Connect ID Tokens and you are using the OpenID Connect Implicit flow. Logstash ships with a bundled version of Java JDK 11 and thus is not affected by default by this issue. Logstash is possibly affected by this vulnerability only when Java JDK 15 or later is used and certain features are in use with specific configurations. Enterprise Search may be affected by this vulnerability when the Elasticsearch cluster is affected as described above and: Enterprise Search is configured for SSO with SAML and the SAML Identity Provider is using ECDSA based signatures for signing SAML messages. Enterprise Search is configured for SSO with OpenID Connect and the OpenID Provider is using ECDSA based signatures for signing OpenID Connect ID Tokens and you are using the OpenID Connect Implicit flow. Solutions and Mitigations Elasticsearch 8.2.1 and 7.17.4 are packaged with OpenJDK 18.0.1 which resolves this issue. If you cannot update, you can perform the following steps: Configure your SAML Identity Provider to use an RSA based signing algorithm for signing SAML messages, for instance: xmldsig-more namespace 1 Configure your OIDC Provider to use RSASSA-PKCS1-v1_5 based signing algorithm for ID Tokens, i.e RS256 and change your Elasticsearch configuration (rp.signature_algorithm) accordingly For on premises installations, add the following settings in the Java Security Properties file located under $JDK_HOME/conf/security/java.security TLS_ECDHE_ECDSA to the jdk.tls.client.cipherSuites and ECDSA usage TLSClient to the jdk.certpath.disabledAlgorithms Mitigations for Logstash: Logstash ships with a bundled version of Java JDK 11 and thus is not affected by default by this issue. Logstash is possibly affected by this vulnerability only when Java JDK 15 or later is used and certain features are in use with specific configurations. You can revert to Java JDK 11 or update to the latest Java JDK 17 If you are using JDK 17 or 18, download an updated JDK version (Oracle/OpenJDK 17.0.3 or jdk-17.0.3+7 Temurin, Oracle/OpenJDK 18.0.1 or jdk-18.0.1 Temurin) and point your Logstash installation to use that 1. If you cannot update the JDK, you can perform the following steps: Add the following settings in the Java Security Properties file located under $JDK_HOME/conf/security/java.security TLS_ECDHE_ECDSA to the jdk.tls.client.cipherSuites and ECDSA usage TLSClient to the jdk.certpath.disabledAlgorithms Mitigations for Enterprise Search: Follow the mitigation steps for Elasticsearch described above. Severity: High CVSSv3.1: 7.5 /AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE ID: CVE-2022-21449 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================