Elastic Cloud Enterprise security update (ESA-2021-17)
Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage the anonymous user to gain insight into certain details of a deployed cluster.
All ECE versions enable the anonymous user as a default setting. ECE stack packs 7.10.0 to the latest version have been updated to disable the anonymous user on 2021-07-07. Stack packs can be downloaded from this page.
This stack pack disables the anonymous user. To re-enable the anonymous user please see the product documentation.
Solutions and Mitigations:
Affected users should apply the stack pack. There is no known workaround.
CVSSv3: 8.8 - AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE ID: CVE-2021-22146
CWE: CWE-284: Improper Access Control