Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 803251 (CVE-2021-22144, CVE-2021-22145)

Summary: <app-misc/elasticsearch-7.13.4: multiple vulnerabilities (CVE-2021-{22144,22145})
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: hydrapolic, proxy-maint
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://discuss.elastic.co/t/elasticsearch-7-13-4-security-update/279177
See Also: https://github.com/gentoo/gentoo/pull/21806
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-21 17:01:35 UTC
CVE-2021-22145:

A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing previously used portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details.


Please bump.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-26 15:09:20 UTC
CVE-2021-22144:

In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. A user with the ability to submit arbitrary queries to Elasticsearch could create a malicious Grok query that will crash the Elasticsearch node.
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:20:43 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:28:48 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:36:45 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:44:48 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:52:51 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:56:47 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 18:00:47 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 18:09:04 UTC
Package list is empty or all packages have requested keywords.
Comment 10 Larry the Git Cow gentoo-dev 2021-07-31 10:03:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a27be1e46bb6cb26d7ed3107ed0096945914b233

commit a27be1e46bb6cb26d7ed3107ed0096945914b233
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2021-07-27 11:05:52 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-07-31 10:03:39 +0000

    app-misc/elasticsearch: bump to 7.13.4
    
    Bug: https://bugs.gentoo.org/803251
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 app-misc/elasticsearch/Manifest                    |  1 +
 app-misc/elasticsearch/elasticsearch-7.13.4.ebuild | 82 ++++++++++++++++++++++
 2 files changed, 83 insertions(+)
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-06 19:51:29 UTC
(In reply to John Helmert III from comment #0)
> CVE-2021-22145:
> 
> A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to
> 7.13.3 error reporting. A user with the ability to submit arbitrary queries
> to Elasticsearch could submit a malformed query that would result in an
> error message returned containing previously used portions of a data buffer.
> This buffer could contain sensitive information such as Elasticsearch
> documents or authentication details.

Is the 6.x line affected by this?
Comment 12 Tomáš Mózes 2022-11-01 07:17:57 UTC
Tree clean