Bug#1054912: opensearch: CVE-2023-45807 CVE-2023-31141 CVE-2023-23613 CVE-2023-23612
Moritz Mühlenhoff
jmm at inutil.org
Sat Oct 28 15:44:05 BST 2023
Source: opensearch
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for opensearch.
It's not fully clear to me which affect the bits packaged in Debian
and which not.
CVE-2023-45807[0]:
| OpenSearch is a community-driven, open source fork of Elasticsearch
| and Kibana following the license change in early 2021. There is an
| issue with the implementation of tenant permissions in OpenSearch
| Dashboards where authenticated users with read-only access to a
| tenant can perform create, edit and delete operations on index
| metadata of dashboards and visualizations in that tenant,
| potentially rendering them unavailable. This issue does not affect
| index data, only metadata. Dashboards correctly enforces read-only
| permissions when indexing and updating documents. This issue does
| not provide additional read access to data users don’t already have.
| This issue can be mitigated by disabling the tenants functionality
| for the cluster. Versions 1.3.14 and 2.11.0 contain a fix for this
| issue.
https://github.com/opensearch-project/security/security/advisories/GHSA-72q2-gwwf-6hrv
CVE-2023-31141[1]:
| OpenSearch is open-source software suite for search, analytics, and
| observability applications. Prior to versions 1.3.10 and 2.7.0,
| there is an issue with the implementation of fine-grained access
| control rules (document-level security, field-level security and
| field masking) where they are not correctly applied to the queries
| during extremely rare race conditions potentially leading to
| incorrect access authorization. For this issue to be triggered, two
| concurrent requests need to land on the same instance exactly when
| query cache eviction happens, once every four hours. OpenSearch
| 1.3.10 and 2.7.0 contain a fix for this issue.
https://github.com/opensearch-project/security/security/advisories/GHSA-g8xc-6mf7-h28h
CVE-2023-23613[2]:
| OpenSearch is an open source distributed and RESTful search engine.
| In affected versions there is an issue in the implementation of
| field-level security (FLS) and field masking where rules written to
| explicitly exclude fields are not correctly applied for certain
| queries that rely on their auto-generated .keyword fields. This
| issue is only present for authenticated users with read access to
| the indexes containing the restricted fields. This may expose data
| which may otherwise not be accessible to the user. OpenSearch
| 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. Users are advised to
| upgrade to OpenSearch 1.3.8 or 2.5.0. Users unable to upgrade may
| write explicit exclusion rules as a workaround. Policies authored in
| this way are not subject to this issue.
https://github.com/opensearch-project/security/security/advisories/GHSA-v3cg-7r9h-r2g6
CVE-2023-23612[3]:
| OpenSearch is an open source distributed and RESTful search engine.
| OpenSearch uses JWTs to store role claims obtained from the Identity
| Provider (IdP) when the authentication backend is SAML or OpenID
| Connect. There is an issue in how those claims are processed from
| the JWTs where the leading and trailing whitespace is trimmed,
| allowing users to potentially claim roles they are not assigned to
| if any role matches the whitespace-stripped version of the roles
| they are a member of. This issue is only present for authenticated
| users, and it requires either the existence of roles that match, not
| considering leading/trailing whitespace, or the ability for users to
| create said matching roles. In addition, the Identity Provider must
| allow leading and trailing spaces in role names. OpenSearch
| 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. Users are advised to
| upgrade to OpenSearch 1.3.8 or 2.5.0. There are no known workarounds
| for this issue.
https://github.com/opensearch-project/security/security/advisories/GHSA-864v-6qj7-62qj
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-45807
https://www.cve.org/CVERecord?id=CVE-2023-45807
[1] https://security-tracker.debian.org/tracker/CVE-2023-31141
https://www.cve.org/CVERecord?id=CVE-2023-31141
[2] https://security-tracker.debian.org/tracker/CVE-2023-23613
https://www.cve.org/CVERecord?id=CVE-2023-23613
[3] https://security-tracker.debian.org/tracker/CVE-2023-23612
https://www.cve.org/CVERecord?id=CVE-2023-23612
Please adjust the affected versions in the BTS as needed.
More information about the pkg-java-maintainers
mailing list