=====================================================================

                                 CERT-Renater

                     Note d'Information No. 2022/VULN291

_____________________________________________________________________

DATE                : 26/08/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Elastic Cloud Enterprise versions
                                    prior to 3.4.0.

=====================================================================
https://discuss.elastic.co/t/elastic-cloud-enterprise-3-4-0-security-update/312825
_____________________________________________________________________


Elastic Cloud Enterprise 3.4.0 Security Update

Announcements Security Announcements
elastic-cloud
ikakavas (Ioannis Kakavas) August 24, 2022, 3:42pm #1


Elastic Cloud Enterprise Sensitive information disclosure issue 
(ESA-2022-10)

A flaw was discovered in ECE before 3.4.0 that might lead to the
disclosure of sensitive information such as user passwords and
Elasticsearch keystore settings values in logs such as the audit log or
deployment logs in the Logging and Monitoring cluster. The affected APIs
are:

PATCH /api/v1/user

PATCH /deployments/{deployment_id}/elasticsearch/{ref_id}/keystore


Affected Versions:

Elastic Cloud Enterprise versions before 3.4.0 are affected by this flaw.


Solutions and Mitigations:

Users should upgrade to Elastic Cloud Enterprise 3.4.0. Note that by
default, only users with a Platform admin role have access to the
Logging and Monitoring cluster and the audit logs.


CVSSv3.1: 8.5 (High) - AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

CVE ID: CVE-2022-23715

CWE-532: Insertion of Sensitive Information into Log File


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================