SB2021032502 - Multiple vulnerabilities in Elasticsearch

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper Preservation of Permissions (CVE-ID: CVE-2021-22137)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to search queries do not properly preserve security permissions when executing certain cross-cluster search queries. A remote user can disclose existence of documents via search functionality, when Document or Field Level Security is used.

2) Security restrictions bypass (CVE-ID: CVE-2021-22135)

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled. A remote user can perform certain queries to enable the profiler and suggester on index and disclose existence of documents and fields.

Remediation

Install update from vendor's website.

References

• https://www.elastic.co/community/security#ESA-2021-08
• https://www.elastic.co/community/security#ESA-2021-06