Elasticsearch 7.13.4 Security Update

Elasticsearch memory disclosure issue (ESA-2021-16)

A memory disclosure vulnerability was identified in Elasticsearch’s error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing previously used portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details.

Thanks to Eric Howard (Bell Canada) for reporting this issue.

Affected Versions:

Elasticsearch versions 7.10.0 to 7.13.3

Solutions and Mitigations:

Affected users should update their version of Elasticsearch to 7.13.4. There is no known workaround for this issue.

ECE Users:

Aug 2 Update: Within the context of some versions of ECE, this vulnerability can additionally be exploited by ECE users to escalate their own permissions. Follow the below instructions to determine the best steps to take for your ECE version.

For ECE versions 1.0.0 - 2.6.2:

  1. Upgrade non-system clusters of versions between 7.10.0 and 7.13.3 (inclusive) to 7.13.4+
  2. Do nothing on system clusters

For ECE versions 2.7.0 - 2.9.2:

  1. Upgrade non-system clusters of versions between 7.10.0 and 7.13.3 (inclusive) to 7.13.4+

  2. Reinstall the most recent stack pack on the system clusters to remediate ESA-2021-17 and restart

  3. If you have added non-admin users to your AdminConsole or Logging+Monitoring system clusters, you should revoke these users’ access.

  4. For the Security system cluster, perform one of the following:

  5. Upgrade ECE to 2.10+ and upgrade the system clusters to 7.13.4+

  6. Add a "block all" IP filter for “0.0.0.0” and apply that to the security cluster, which blocks access except via the Admin console

  7. Do nothing on system clusters.

For ECE versions 2.10.0 - 2.10.1:

  1. Upgrade non-system clusters of versions between 7.10.0 and 7.13.3 (inclusive) to 7.13.4+
  2. Reinstall the most recent stack pack
  3. For each system cluster, go to the Advanced Editor > Elasticsearch Cluster data, and set "system_owned = false" and save
  4. Upgrade each system cluster to 7.13.4+
  5. For each system cluster, go to the Advanced Editor > Elasticsearch Cluster data, and set "system_owned = true" and save

For ECE versions 2.10.2+:

  1. Upgrade non-system clusters of versions 7.10 - 7.13.3 to 7.13.4+
  2. Reinstall the most recent stack pack

CVSSv3: 8.0 - AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE ID: CVE-2021-22145

CWE: CWE-125: Out-of-bounds Read