Elastic Stack 7.17.4 and 8.2.1 Security Update

Elastic Stack update for CVE-2022-21449 Java vulnerability in Elliptic Curve Digital Signature Algorithm (ECDSA) (ESA-2022-06)

A vulnerability (CVE-2022-21449) affecting the implementation of Elliptic Curve Digital Signing Algorithm (ECDSA) based signatures verification in Java JDK versions 15 and later was published on April 19, 2022. This vulnerability affects Oracle Java and OpenJDK, including other JDKs derived from OpenJDK.

Affected Products and Versions

Elasticsearch 6.8.x, 7.9.2 and later may be affected by this vulnerability when Java JDK 15 or later is used with the following SSO configurations:

  • Elasticsearch is configured for SSO with SAML and the SAML Identity Provider is using ECDSA based signatures for signing SAML messages.
  • Elasticsearch is configured for SSO with OpenID Connect and the OpenID Provider is using ECDSA based signatures for signing OpenID Connect ID Tokens and you are using the OpenID Connect Implicit flow.

Logstash ships with a bundled version of Java JDK 11 and thus is not affected by default by this issue. Logstash is possibly affected by this vulnerability only when Java JDK 15 or later is used and certain features are in use with specific configurations.

Enterprise Search may be affected by this vulnerability when the Elasticsearch cluster is affected as described above and:

  • Enterprise Search is configured for SSO with SAML and the SAML Identity Provider is using ECDSA based signatures for signing SAML messages.
  • Enterprise Search is configured for SSO with OpenID Connect and the OpenID Provider is using ECDSA based signatures for signing OpenID Connect ID Tokens and you are using the OpenID Connect Implicit flow.

Solutions and Mitigations

Elasticsearch 8.2.1 and 7.17.4 are packaged with OpenJDK 18.0.1 which resolves this issue.

If you cannot update, you can perform the following steps:

  • Configure your SAML Identity Provider to use an RSA based signing algorithm for signing SAML messages, for instance: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
  • Configure your OIDC Provider to use RSASSA-PKCS1-v1_5 based signing algorithm for ID Tokens, i.e RS256 and change your Elasticsearch configuration (rp.signature_algorithm) accordingly
  • For on premises installations, add the following settings in the Java Security Properties file located under $JDK_HOME/conf/security/java.security
    • TLS_ECDHE_ECDSA to the jdk.tls.client.cipherSuites and
    • ECDSA usage TLSClient to the jdk.certpath.disabledAlgorithms

Mitigations for Logstash:
Logstash ships with a bundled version of Java JDK 11 and thus is not affected by default by this issue. Logstash is possibly affected by this vulnerability only when Java JDK 15 or later is used and certain features are in use with specific configurations.

You can revert to Java JDK 11 or update to the latest Java JDK 17

  • If you are using JDK 17 or 18, download an updated JDK version (Oracle/OpenJDK 17.0.3 or jdk-17.0.3+7 Temurin, Oracle/OpenJDK 18.0.1 or jdk-18.0.1 Temurin) and point your Logstash installation to use that.

If you cannot update the JDK, you can perform the following steps:

  • Add the following settings in the Java Security Properties file located under $JDK_HOME/conf/security/java.security
    • TLS_ECDHE_ECDSA to the jdk.tls.client.cipherSuites and
    • ECDSA usage TLSClient to the jdk.certpath.disabledAlgorithms

Mitigations for Enterprise Search:
Follow the mitigation steps for Elasticsearch described above.

Severity:

High

CVSSv3.1:

7.5 /AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE ID:

CVE-2022-21449


Elasticsearch Denial of Service issue (ESA-2022-07)

A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request.

Affected Versions:

Elasticsearch 8.0.0 to 8.2.0

Solutions and Mitigations:

The issue is resolved in 8.2.1

CVSSv3:

7.5- AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID:

CVE-2022-23712

2 Likes