CVE-2018-17244 这个漏洞如果已经使用search-guard-ssl进行加固后,还会存在这个问题吗?

Elasticsearch | 作者 wssmao | 发布于2018年12月03日 | 阅读数:410

CVE-2018-17244 这个漏洞如果已经使用search-guard-ssl进行加固后,还会存在这个问题吗?
Elasticsearch information disclosure (ESA-2018-16)

Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; when used with run as, this can result in the request running as the incorrect user. This could allow a user to access information that they should not have access to.

Affected Versions
Elasticsearch Security versions 6.4.0, 6.4.1, and 6.4.2

Solutions and Mitigations:
Users should upgrade to Elasticsearch version 6.4.3.

If upgrading is not possible setting the realm’s cache.ttl option to 0 will prevent caching any user data. This will mitigate this issue but will slow requests considerably.

CVE ID: CVE-2018-17244

rochy - rochy_he@tw

赞同来自: wssmao

这个漏洞貌似只针对 Elasticsearch Security 这个模块,如果你没有使用 ES 的安全服务,可以无视

zqc0512 - andy zhou

赞同来自: wssmao

看你后端是不是用AD LDAP认证,不是就没有这个坑。