Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN759
_____________________________________________________________________

DATE                : 04/11/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Elastic Cloud Enterprise versions
                      prior to 3.8.3, 4.0.3.

=====================================================================
https://discuss.elastic.co/t/elastic-cloud-enterprise-ece-3-8-3-and-4-0-3-security-update-esa-2025-22/383132
_____________________________________________________________________


Elastic Cloud Enterprise (ECE) 3.8.3 and 4.0.3 Security Update
(ESA-2025-22)
Announcements Security Announcements
ikakavas (Ioannis Kakavas) October 31, 2025, 5:36pm 1

Elastic Cloud Enterprise Improper Authorization (ESA-2025-22)

Improper Authorization in Elastic Cloud Enterprise can lead to
Privilege Escalation where the built-in readonly user can call APIs
that should not be allowed. The list of APIs that are affected by
this issue is:

post:/platform/configuration/security/service-accounts
delete:/platform/configuration/security/service-accounts/{user_id}
patch:/platform/configuration/security/service-accounts/{user_id}
post:/platform/configuration/security/service-accounts/{user_id}/keys
delete:/platform/configuration/security/service-accounts/{user_id}/keys/{api_key_id}
patch:/user
post:/users
post:/users/auth/keys
delete:/users/auth/keys
delete:/users/auth/keys/_all
delete:/users/auth/keys/{api_key_id}
delete:/users/{user_id}/auth/keys
delete:/users/{user_id}/auth/keys/{api_key_id}
delete:/users/{user_name}
patch:/users/{user_name} 

Affected Versions:

Elastic Cloud Enterprise versions after 3.8.0 and up to including 3.8.2

Elastic Cloud Enterprise versions after 4.0.0 and up to including 4.0.2

Affected Configurations:

This issue affects all ECE users.

Solutions and Mitigations:

Users should upgrade to version 3.8.3 and 4.0.3. In addition to the
upgrade, Elastic Cloud Enterprise users should investigate whether
there exist any users or service accounts that have been created by
the readonly user and potentially delete them. The following tooling
offers this functionality. Elastic advises extreme caution while
deleting users, to ensure that only the necessary ones are deleted.

For Users that Cannot Upgrade:

Users that cannot upgrade, should also use the provided tooling to
list users or service accounts that have been created by the readonly
user and potentially delete them.

Severity: CVSSv3.1: 8.8(High) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H}

CVE ID: CVE-2025-37736


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================