Elastic Cloud on Kubernetes insecure password generation (ESA-2020-03)
Elastic Cloud on Kubernetes (ECK) versions prior to 1.1.0 generate passwords using a weak random number generator. If an attacker is able to determine when the current Elastic Stack cluster was deployed they may be able to more easily brute force the Elasticsearch credentials generated by ECK.
ECK 1.0.0 and 1.0.1
Solutions and Mitigations:
All Elastic Cloud on Kubernetes users should upgrade to version 1.1.0. Instructions for applying this update can be found here. There is no workaround for this issue.
This issue affects the default auto-generated credentials for a cluster. Clusters where the auto-generated Elasticsearch credentials have been changed do not need to take any actions.
Once ECK is upgraded to version 1.1.0 the auto-generated credentials should be rotated using the instructions found here.
CVSSv3: 7.5 - AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE ID: CVE-2020-7010