Elasticsearch username disclosure flaw (ESA-2019-13)
A username disclosure flaw was found in Elasticsearch’s API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm.
Affected Versions
The following Elasticsearch versions are affected by this flaw:
7.0.0, 7.0.1, 7.1.0, 7.1.1, 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.3.2
6.7.0, 6.7.1, 6.7.2, 6.8.0, 6.8.1, 6.8.2, 6.8.3
Solutions and Mitigations:
Users should upgrade to Elasticsearch version 7.4.0 or 6.8.4. If users cannot upgrade, the API key service can be disabled by setting ‘xpack.security.authc.api_key.enabled’ to false in the Elasticsearch configuration file.
CVSSv3: 3.7 - AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE ID: CVE-2019-7619
Logstash Beats input denial of service flaw (ESA-2019-14)
A denial of service flaw was found in the Logstash beats input plugin. An unauthenticated user who is able to connect to the port the Logstash beats input could send a specially crafted network packet that would cause Logstash to stop responding.
If you are not using the Beats input plugin with Logstash you are not vulnerable to this issue.
Thanks to Dennis Detering, IT security consultant at Spike Reply for reporting this issue.
Affected Versions
Logstash versions before 7.4.1 and 6.8.4
Solutions and Mitigations:
Users should upgrade to Logstash version 7.4.1 or 6.8.4.
CVSSv3: 7.5 - AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2019-7620