Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN573
_____________________________________________________________________

DATE                : 03/09/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Elasticsearch versions prior to
                            8.18.6, 8.19.3, 9.0.6, 9.1.3.

=====================================================================
https://discuss.elastic.co/t/elasticsearch-8-18-6-8-19-3-9-0-6-and-9-1-3-security-update-esa-2025-14-cve-2025-54988/381427
_____________________________________________________________________

Elasticsearch 8.18.6, 8.19.3, 9.0.6, and 9.1.3 Security Update
(ESA-2025-14) (CVE-2025-54988)
Announcements Security Announcements
ismisepaul (Paul) August 28, 2025, 3:38pm 1

Elasticsearch XML external entity (XXE) injection in Apache Tika
(ESA-2025-14)

On August 20, 2025, CVE-2025-54988 in Apache Tika PDF parser module
was announced, disclosing an XML External Entity injection flaw in
the Apache Tika tika-parser-pdf-module. This vulnerability allows
an attacker to provide a crafted XFA file within a PDF, read
sensitive data, or trigger malicious requests to internal resources
or third-party servers.

This issue affects Elasticsearch, however the severity is reduced
from critical to high due to the attacker requiring authentication.
Threat actors can trigger the Apache Tika XXE vulnerability in
Elasticsearch by providing a malformed PDF to the ingest attachment
processor, which can trigger unauthorized requests to internal
resources or third-party servers, or could be used to read sensitive
data.


Affected Versions:
8.18.0 up to and including 8.18.5, 8.19.0 up to and including
8.19.2, 9.0.0 up to and including 9.0.5, 9.1.0 up to and
including 9.1.2


Affected Configurations:

Elasticsearch is affected by this only when using the ingest
attachment processor.

For versions of Elasticsearch that use the Java Security Manager,
which include 8.17.8 and below, the risk is mitigated as the
Java Security Manager prevents the exploitation of the
vulnerability.


Solutions and Mitigations:

Users should upgrade to version 8.18.6, 8.19.3, 9.0.6, and
9.1.3.

For Users that Cannot Upgrade:

We strongly recommend users to upgrade. The following
workarounds will mitigate the security issue but can have
a serious impact on data ingestion.

Users that cannot upgrade could delete any ingest pipelines
that call the “attachment” processor and handle untrusted
PDF files. Note that this can cause ingest to fail or will
produce data that has bypassed any enrichment or
transformation logic that existed in the deleted pipelines.

    Find all pipelines that have an attachment processor
with the Get Ingest Pipelines API:

    GET _ingest/pipeline

    This will return all pipelines in the system, with the
key of each top-level object being the pipeline name.

    Look for any processors in the result that are labeled
“attachment”, and record the pipeline name.

    Attempt to delete each of those pipelines with the
Delete Ingest Pipeline API to delete the pipeline:

    DELETE _ingest/pipeline/pipeline1

Note that built-in pipelines, like search-default-ingestion,
cannot be deleted. Calling the Delete Ingest Pipeline API
will report success but the pipeline will be immediately
recreated.

Also ,attempts to delete some pipelines will fail with an
“illegal_argument_exception” because those pipelines are
configured to be the default or final pipeline of an index.

An alternative is to delete the ingest attachment module
on each Elasticsearch server, with the impact of any
pipeline that uses the attachment processor failing. This
means that any pipelines that transform data from various
formats like Word, Excel, or PDF files would fail.
Customers would not be able to ingest this data. Attempts
to do so would get an HTTP response with status code “500”,
and a root cause type of illegal_state_exception. This
workaround can only be applied on Self-Hosted Elasticsearch
Clusters.

    On each Elasticsearch node in a cluster, change to the
Elasticsearch installations’s top-level directory

    Delete the ingest attachment module by calling
“rm -Rf modules/ingest-attachment"

    Restart the Elasticsearch server

Severity: CVSSv3.1: 8.8(High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/MPR:L

CVE ID: CVE-2025-54988

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================