BIT-elasticsearch-2024-23444
Information Exposure vulnerability in elasticsearch (Maven)
What is BIT-elasticsearch-2024-23444 About?
This vulnerability in the elasticsearch-certutil CLI tool leads to the unencrypted storage of private keys when generating Certificate Signing Requests (CSRs), even if a passphrase is provided. This flaw exposes sensitive cryptographic material. Exploiting this issue would require local access to the system where the tool was used.
Affected Software
- org.elasticsearch:elasticsearch
- <7.17.23
- >8.0.0-alpha1, <8.13.0
Technical Details
The vulnerability resides in the elasticsearch-certutil CLI tool when used with the csr option to create new Certificate Signing Requests (CSRs). Despite the presence and apparent use of the --pass parameter during the command invocation, which suggests the private key should be encrypted, the tool fails to encrypt the generated private key. Consequently, the private key associated with the CSR is written to disk in plain text. This oversight means that any unauthorized access to the filesystem where the CSR was created could lead to the compromise of the private key, bypassing the intended security measure of passphrase protection.
What is the Impact of BIT-elasticsearch-2024-23444?
Successful exploitation may allow attackers to gain unauthorized access to sensitive cryptographic keys, potentially leading to impersonation, data decryption, or signing malicious code as a trusted entity.
What is the Exploitability of BIT-elasticsearch-2024-23444?
Exploitation of this vulnerability requires local file system access to the machine where the elasticsearch-certutil CLI tool was executed to generate a CSR. The complexity is low for an attacker who already has such access. No authentication within the tool itself is bypassed, as the issue lies in the storage mechanism. Privilege requirements depend on the file permissions of the generated key file; if an attacker has read access to the relevant directory, they can retrieve the unencrypted key. This is a local exploitation scenario. There are no special conditions beyond the existence of an unencrypted private key file. The risk of exploitation is higher in multi-user environments or environments where file system access is not strictly controlled.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-elasticsearch-2024-23444?
Available Upgrade Options
- org.elasticsearch:elasticsearch
- <7.17.23 → Upgrade to 7.17.23
- org.elasticsearch:elasticsearch
- >8.0.0-alpha1, <8.13.0 → Upgrade to 8.13.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/elastic/elasticsearch/pull/106105
- https://github.com/elastic/elasticsearch/commit/07296d596a1dee24730e33ad40b6726f70c6fc23
- https://security.netapp.com/advisory/ntap-20250404-0001/
- https://security.netapp.com/advisory/ntap-20250404-0001
- https://nvd.nist.gov/vuln/detail/CVE-2024-23444
- https://github.com/elastic/elasticsearch/commit/bb1eddada3678257838b0590090ff9eb68acaa1b
- https://github.com/elastic/elasticsearch
- https://discuss.elastic.co/t/elasticsearch-8-13-0-7-17-23-security-update-esa-2024-12/364157
- https://github.com/elastic/elasticsearch/pull/109834
- https://github.com/elastic/elasticsearch/commit/321c4e1e6b738bf80faa41dbb9881489a4ab44e5
What are Similar Vulnerabilities to BIT-elasticsearch-2024-23444?
Similar Vulnerabilities: CVE-2023-34057 , CVE-2022-23533 , CVE-2020-13936 , CVE-2019-10023 , CVE-2018-1000632
