Elastic Stack 7.12.0 and 6.8.15 Security Update

Elasticsearch Suggester & Profile API information disclosure flaw (ESA-2021-06)

A document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled. The suggester and profile API are normally disabled for an index when document level security is enabled on the index. Certain queries are able to enable the profiler and suggester which could lead to disclosing the existence of documents and fields the attacker should not be able to view.

Affected Versions:

All versions of Elasticsearch before 7.11.2 and 6.8.15.

Solutions and Mitigations:

Anyone using both Document and Field Level Security should upgrade to Elasticsearch version 7.11.2 or 6.8.15. There is no known workaround for this flaw.

CVSSv3 - 3.1: AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CVE ID: CVE-2021-22135


Kibana Timeout Bypass (ESA-2021-07)

A flaw in Kibana’s session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected. This was caused by background polling activities unintentionally extending authenticated users sessions, preventing a user session from timing out.

Affected Versions:

All versions of Kibana before 7.12.0 and 6.8.15.

Solutions and Mitigations:

Users should update their version of Kibana to 7.12.0 or 6.8.15.

CVSSv3 - 4.0: AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

CVE ID: CVE-2021-22136


Elasticsearch field disclosure flaw (ESA-2021-08)

A document disclosure flaw was found in Elasticsearch when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.

Thanks to Piotr Dłubisz, Security Consultant at JN Data A/S for reporting this issue.

Affected Versions:

All versions of Elasticsearch before 6.8.15 and 7.11.2

Solutions and Mitigations:

Anyone using Document or Field Level Security should upgrade to Elasticsearch version 7.11.2 or 6.8.15. There is no known workaround for this flaw.

CVSSv3 - 2.6:AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

CVE ID: CVE-2021-22137


Logstash certificate verification bypass (ESA-2021-09)

A TLS certificate validation flaw was found in the monitoring feature of Logstash. When specifying a trusted server CA certificate Logstash would not properly verify the certificate returned by the monitoring server. This could result in a man in the middle style attack against the Logstash monitoring data.

Affected Versions:

All versions of Logstash after 6.4.0 and before versions 6.8.15 and 7.12.0

Solutions and Mitigations:

Users should update their version of Logstash to 7.12.0 or 6.8.15.

CVSSv3 - 2.6:AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE ID: CVE-2021-22138