Elastic Stack update for CVE-2022-21449 Java vulnerability in Elliptic Curve Digital Signature Algorithm (ECDSA) (ESA-2022-06)
A vulnerability (CVE-2022-21449) affecting the implementation of Elliptic Curve Digital Signing Algorithm (ECDSA) based signatures verification in Java JDK versions 15 and later was published on April 19, 2022. This vulnerability affects Oracle Java and OpenJDK, including other JDKs derived from OpenJDK.
Affected Products and Versions
Elasticsearch 6.8.x, 7.9.2 and later may be affected by this vulnerability when Java JDK 15 or later is used with the following SSO configurations:
- Elasticsearch is configured for SSO with SAML and the SAML Identity Provider is using ECDSA based signatures for signing SAML messages.
- Elasticsearch is configured for SSO with OpenID Connect and the OpenID Provider is using ECDSA based signatures for signing OpenID Connect ID Tokens and you are using the OpenID Connect Implicit flow.
Logstash ships with a bundled version of Java JDK 11 and thus is not affected by default by this issue. Logstash is possibly affected by this vulnerability only when Java JDK 15 or later is used and certain features are in use with specific configurations.
Enterprise Search may be affected by this vulnerability when the Elasticsearch cluster is affected as described above and:
- Enterprise Search is configured for SSO with SAML and the SAML Identity Provider is using ECDSA based signatures for signing SAML messages.
- Enterprise Search is configured for SSO with OpenID Connect and the OpenID Provider is using ECDSA based signatures for signing OpenID Connect ID Tokens and you are using the OpenID Connect Implicit flow.
Solutions and Mitigations
Elasticsearch 8.2.1 and 7.17.4 are packaged with OpenJDK 18.0.1 which resolves this issue.
If you cannot update, you can perform the following steps:
- Configure your SAML Identity Provider to use an RSA based signing algorithm for signing SAML messages, for instance:
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 - Configure your OIDC Provider to use
RSASSA-PKCS1-v1_5based signing algorithm for ID Tokens, i.eRS256and change your Elasticsearch configuration (rp.signature_algorithm) accordingly - For on premises installations, add the following settings in the Java Security Properties file located under
$JDK_HOME/conf/security/java.security-
TLS_ECDHE_ECDSAto thejdk.tls.client.cipherSuitesand -
ECDSA usage TLSClientto thejdk.certpath.disabledAlgorithms
-
Mitigations for Logstash:
Logstash ships with a bundled version of Java JDK 11 and thus is not affected by default by this issue. Logstash is possibly affected by this vulnerability only when Java JDK 15 or later is used and certain features are in use with specific configurations.
You can revert to Java JDK 11 or update to the latest Java JDK 17
- If you are using JDK 17 or 18, download an updated JDK version (Oracle/OpenJDK 17.0.3 or jdk-17.0.3+7 Temurin, Oracle/OpenJDK 18.0.1 or jdk-18.0.1 Temurin) and point your Logstash installation to use that.
If you cannot update the JDK, you can perform the following steps:
- Add the following settings in the Java Security Properties file located under
$JDK_HOME/conf/security/java.security-
TLS_ECDHE_ECDSAto thejdk.tls.client.cipherSuitesand -
ECDSA usage TLSClientto thejdk.certpath.disabledAlgorithms
-
Mitigations for Enterprise Search:
Follow the mitigation steps for Elasticsearch described above.
Severity:
High
CVSSv3.1:
7.5 /AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE ID:
CVE-2022-21449
Elasticsearch Denial of Service issue (ESA-2022-07)
A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request.
Affected Versions:
Elasticsearch 8.0.0 to 8.2.0
Solutions and Mitigations:
The issue is resolved in 8.2.1
CVSSv3:
7.5- AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE ID:
CVE-2022-23712