CVE-2023-49921 - Watcher Search Input DEBUG Log Exposure in Elasticsearch

A security vulnerability has been discovered in Elasticsearch, a widely-used open-source, distributed, RESTful search and analytics engine developed by Elastic. The issue, assigned CVE-2023-49921, pertains to the logging of search query results by the Watcher search input on the DEBUG log level. As a consequence, raw contents of documents stored in Elasticsearch could potentially be exposed in logs, posing a security risk for users.

Elastic has acknowledged this issue and released updates 8.11.2 and 7.17.16 to address it. By applying these updates, excessive logging is removed, effectively resolving the vulnerability.

Code Snippet

Let's consider an example configuration where the logging for Watcher search input is set to DEBUG level:

logging.level:
  org.elasticsearch.xpack.watcher.input.search: DEBUG

If you have a similar logger configuration for your Elasticsearch instance, you might be affected by this vulnerability. Updating to the latest Elasticsearch release will fix this issue.

Solution

Elastic has released Elasticsearch versions 8.11.2 and 7.17.16 to address this security issue. It is highly recommended that affected users update their Elasticsearch installations to one of these versions as soon as possible.

Updating Elasticsearch

To update your Elasticsearch instance, follow Elastic's official documentation on updating to the latest version:

- Instructions for Elasticsearch 8.11.2
- Instructions for Elasticsearch 7.17.16

Exploit Details

While no known public exploits are currently available for this vulnerability, it is essential to address the issue to avoid potential exposure of sensitive document contents in logs. Unauthorized access to log files containing raw Elasticsearch document data could potentially lead to further security problems, including the compromise of personal information or proprietary information.

By updating your Elasticsearch installation to version 8.11.2 or 7.17.16, you can ensure that you are protected against the potential risks associated with CVE-2023-49921.

References

For more information about this vulnerability and its resolution, please refer to the following resources:

- Elasticsearch Security Announcement
- Elasticsearch 8.11.2 Release Notes
- Elasticsearch 7.17.16 Release Notes

Timeline

Published on: 07/26/2024 05:15:10 UTC
Last modified on: 07/26/2024 13:47:08 UTC