Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 803251 (CVE-2021-22144, CVE-2021-22145) - app-misc/elasticsearch: multiple vulnerabilities (CVE-2021-{22144,22145})
Summary: app-misc/elasticsearch: multiple vulnerabilities (CVE-2021-{22144,22145})
Status: IN_PROGRESS
Alias: CVE-2021-22144, CVE-2021-22145
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://discuss.elastic.co/t/elastics...
Whiteboard: ~3 [ebuild]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2021-07-21 17:01 UTC by John Helmert III
Modified: 2022-04-13 06:55 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-21 17:01:35 UTC
CVE-2021-22145:

A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing previously used portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details.


Please bump.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-26 15:09:20 UTC
CVE-2021-22144:

In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. A user with the ability to submit arbitrary queries to Elasticsearch could create a malicious Grok query that will crash the Elasticsearch node.
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:20:43 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:28:48 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:36:45 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:44:48 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:52:51 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:56:47 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 18:00:47 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 18:09:04 UTC
Package list is empty or all packages have requested keywords.
Comment 10 Larry the Git Cow gentoo-dev 2021-07-31 10:03:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a27be1e46bb6cb26d7ed3107ed0096945914b233

commit a27be1e46bb6cb26d7ed3107ed0096945914b233
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2021-07-27 11:05:52 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-07-31 10:03:39 +0000

    app-misc/elasticsearch: bump to 7.13.4
    
    Bug: https://bugs.gentoo.org/803251
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 app-misc/elasticsearch/Manifest                    |  1 +
 app-misc/elasticsearch/elasticsearch-7.13.4.ebuild | 82 ++++++++++++++++++++++
 2 files changed, 83 insertions(+)
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-06 19:51:29 UTC
(In reply to John Helmert III from comment #0)
> CVE-2021-22145:
> 
> A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to
> 7.13.3 error reporting. A user with the ability to submit arbitrary queries
> to Elasticsearch could submit a malformed query that would result in an
> error message returned containing previously used portions of a data buffer.
> This buffer could contain sensitive information such as Elasticsearch
> documents or authentication details.

Is the 6.x line affected by this?