Elastic Cloud Enterprise 1.1.4 security update

Elastic Cloud Enterprise use of shared encryption key (ESA-2018-09)
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten, this master key is predictable across all ECE deployments. If an attacker can connect to ZooKeeper directly they would be able to access configuration information of other tenants if their cluster ID is known. In addition to ZooKeeper access, to exploit this vulnerability the attacker must chain this with an remote code execution (of which there are currently no known vulnerabilities).

Affected Versions: All ECE versions prior to 1.1.4

Solutions and Mitigations:
New deployments should target 1.1.4 or greater release. It is recommended that existing deployments perform an upgrade. Additionally ECE deployments that expose access to ZooKeeper, and if the deployment is susceptible to remote code execution, are recommended to rotate their existing credentials using a cleanup script. Please find instructions and more information in this knowledge base article.

CVE ID: CVE-2018-3825


Elastic Cloud Enterprise Information Exposure Vulnerability (ESA-2018-12)
Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 contain an information exposure vulnerability. It was discovered that certain exception conditions would result in encryption keys, passwords, and other security sensitive headers being leaked to the allocator logs. An attacker with access to the logging cluster may obtain leaked credentials and perform authenticated actions using these credentials.

Affected Versions:
All ECE versions prior to 1.1.4

Solutions and Mitigations:
All users of Elastic Cloud Enterprise should upgrade to version 1.1.4. This ensure credentials are properly redacted under error conditions.

CVE ID: CVE-2018-3828


Elastic Cloud Enterprise Improper authentication used when bootstrapping new runners (ESA-2018-13)
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 it was discovered that a user could scale out allocators on new hosts with an invalid roles token. An attacker with access to the previous runner ID and IP address of the coordinator-host could add a allocator to an existing ECE install to gain access to other clusters data.

Affected Versions:
All ECE versions prior to 1.1.4

Solutions and Mitigations:
All users of Elastic Cloud Enterprise should upgrade to version 1.1.4. This ensure role tokens are properly revoked for previous deleted runner roles.

CVE ID: CVE-2018-3829