Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMB211FE7F54E864E4127F8058C43A77D60D32E496B90949AB390F3F3A12FE9E19
HistoryJan 04, 2022 - 8:51 p.m.

Security Bulletin: Vulnerability in Elasticsearch affects IBM Cloud Private (CVE-2021-22135, CVE-2021-22137)

2022-01-0420:51:38
www.ibm.com
12

0.001 Low

EPSS

Percentile

38.9%

JSON

Summary

There is a vulnerability in the Elasticsearch open source library. The library is used by IBM Cloud Private logging. This bulletin identifies the security fixes to apply to address the Elasticsearch vulnerability (CVE-2021-22135, CVE-2021-22137).

Vulnerability Details

CVEID:CVE-2021-22135
**DESCRIPTION:**Elasticsearch could allow a remote authenticated attacker to obtain sensitive information, caused by an error in suggester and profile API when Document and Field Level Security are enabled. By sending a specific query, an attacker could exploit this vulnerability to discover the existence of documents, and use this information to launch further attacks against the affected system.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/201914 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2021-22137
**DESCRIPTION:**Elasticsearch could allow a remote authenticated attacker to obtain sensitive information, caused by an error when using Document or Field Level Security. By executing certain cross-cluster search queries, an attacker could exploit this vulnerability to discover the existence of documents, and use this information to launch further attacks against the affected system.
CVSS Base score: 2.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/201915 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Cloud Private 3.2.1 CD
IBM Cloud Private 3.2.2 CD

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading.

The recommended solution involves the IBM Cloud Private ibm-icplogging component. It is recommended that you follow the instructions for the component in the links listed below:

For IBM Cloud Private 3.1.1: IBM Cloud Private 3.1.1 Patch

For IBM Cloud Private 3.1.2: IBM Cloud Private 3.1.2 Patch

For IBM Cloud Private 3.2.0: IBM Cloud Private 3.2.0 Patch

For IBM Cloud Private 3.2.1: IBM Cloud Private 3.2.1 Patch

For IBM Cloud Private 3.2.2: IBM Cloud Private 3.2.2 Patch

For IBM Cloud Private 3.1.0:

  • Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.2.

Workarounds and Mitigations

None

Related

openvas 1
ibm 1
osv 6
cve 2
redhatcve 2
nvd 2
github 2
ubuntucve 2
prion 2
cvelist 2
veracode 1
redhat 2
openvas
openvas
Elastic Elasticsearch Multiple Vulnerabilities (ESA-2021-06, ESA-2021-08)
2021-05-14 00:00:00
ibm
ibm
Security Bulletin: IBM Security SOAR is using a version of Elasticsearch that has known vulnerabilities (CVE-2021-22137, CVE-2021-22135)
2021-09-27 19:24:38
osv
osv
Exposure of Sensitive Information to an Unauthorized Actor in Elasticsearch
2022-05-24 19:02:19
BIT-elasticsearch-2021-22137
2024-03-06 10:53:35
CVE-2021-22135
2021-05-13 18:15:08
cve
cve
CVE-2021-22137
2021-05-13 18:15:09
CVE-2021-22135
2021-05-13 18:15:08
redhatcve
redhatcve
CVE-2021-22135
2022-04-26 22:20:26
CVE-2021-22137
2021-03-25 14:58:19
nvd
nvd
CVE-2021-22137
2021-05-13 18:15:09
CVE-2021-22135
2021-05-13 18:15:08
github
github
Exposure of Sensitive Information to an Unauthorized Actor in Elasticsearch
2022-05-24 19:02:19
API information disclosure flaw in Elasticsearch
2021-07-02 18:33:02
ubuntucve
ubuntucve
CVE-2021-22135
2021-05-13 00:00:00
CVE-2021-22137
2021-05-13 00:00:00
prion
prion
Design/Logic Flaw
2021-05-13 18:15:00
Design/Logic Flaw
2021-05-13 18:15:00
cvelist
cvelist
CVE-2021-22135
2021-05-13 17:35:17
CVE-2021-22137
2021-05-13 17:35:18
veracode
veracode
Information Disclosure
2021-05-17 07:46:38
redhat
redhat
(RHSA-2022:5606) Moderate: Red Hat Integration Camel Extensions for Quarkus 2.7 security update
2022-07-19 13:36:43
(RHSA-2022:6407) Moderate: Red Hat Integration Camel-K 1.8 security update
2022-09-09 07:10:55

0.001 Low

EPSS

Percentile

38.9%

JSON
Related for B211FE7F54E864E4127F8058C43A77D60D32E496B90949AB390F3F3A12FE9E19
openvas1ibm1osv6cve2redhatcve2nvd2github2ubuntucve2prion2cvelist2veracode1redhat2