A flaw was discovered in Elasticsearch 7.17.0’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated users with “*” index permissions access to this index.
Versions 7.16.0 through 7.17.0.
Users running a cluster on an affected version that had previously been upgraded from 6.x, should upgrade to 7.17.1. Users that are planning to upgrade from 6.x should not perform an upgrade from 6.x to versions 7.16 through 7.17.0 and should use 7.17.1+ for upgrades from 6.x.
6.8 (Medium) - AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with this privilege would be able to create new alerting rules or overwrite existing ones. However, any new or modified rules would not be enabled, and a user with this privilege could not modify alerting connectors. This effectively means that Read users could disable existing alerting rules.
Versions 7.7.0 through 7.17.0, and 8.0.0.
The issue is fixed in 7.17.1, 8.01, and 8.1.0.
As mitigation, users on affected versions can avoid granting users Read access to the Uptime feature if they should not be able to otherwise create/modify alerts, and avoid using the built-in Viewer role.
4.3 (Medium) - AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
For self-managed deployments the issue impacts versions 7.15.0, 7.15.1, and 7.15.2
For Elastic Cloud Services the issue impacts versions 7.15.0 through 7.17.0, and 8.0.0.
This issue is fixed in 7.17.1, 8.0.1, and 8.1.0.
As mitigation, users on affected versions can avoid granting users All access to the Index Pattern Management and Saved Object Management features if they should not be able to otherwise create/modify index patterns. Note: index patterns are called data views starting in 8.0.
5.4 (Medium) - AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N