CVE-2018-17244 这个漏洞如果已经使用search-guard-ssl进行加固后,还会存在这个问题吗?
Elasticsearch | 作者 wssmao | 发布于2018年12月03日 | 阅读数:3089
CVE-2018-17244 这个漏洞如果已经使用search-guard-ssl进行加固后,还会存在这个问题吗?
Elasticsearch information disclosure (ESA-2018-16)
Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; when used with run as, this can result in the request running as the incorrect user. This could allow a user to access information that they should not have access to.
Affected Versions
Elasticsearch Security versions 6.4.0, 6.4.1, and 6.4.2
Solutions and Mitigations:
Users should upgrade to Elasticsearch version 6.4.3.
If upgrading is not possible setting the realm’s cache.ttl option to 0 will prevent caching any user data. This will mitigate this issue but will slow requests considerably.
CVE ID: CVE-2018-17244
Elasticsearch information disclosure (ESA-2018-16)
Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; when used with run as, this can result in the request running as the incorrect user. This could allow a user to access information that they should not have access to.
Affected Versions
Elasticsearch Security versions 6.4.0, 6.4.1, and 6.4.2
Solutions and Mitigations:
Users should upgrade to Elasticsearch version 6.4.3.
If upgrading is not possible setting the realm’s cache.ttl option to 0 will prevent caching any user data. This will mitigate this issue but will slow requests considerably.
CVE ID: CVE-2018-17244
2 个回复
rochy - rochy_he
赞同来自: wssmao
zqc0512 - andy zhou
赞同来自: wssmao