Security Bulletin: Vulnerability in Elasticsearch affects IBM Cloud Private (CVE-2021-22138)

Summary

There is a vulnerability in the Elasticsearch open source library. The library is used by IBM Cloud Private logging. This bulletin identifies the security fixes to apply to address the Elasticsearch vulnerability (CVE-2021-22138).

Vulnerability Details

CVEID:CVE-2021-22138
**DESCRIPTION:**Elasticsearch Logstash is vulnerable to a man-in-the-middle attack, caused by a flaw in the TLS certificate validation. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system.
CVSS Base score: 2.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/202059 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading.

The recommended solution involves the IBM Cloud Private ibm-icplogging component. It is recommended that you follow the instructions for the component in the links listed below:

For IBM Cloud Private 3.1.1: IBM Cloud Private 3.1.1 Patch

For IBM Cloud Private 3.1.2: IBM Cloud Private 3.1.2 Patch

For IBM Cloud Private 3.2.0: IBM Cloud Private 3.2.0 Patch

For IBM Cloud Private 3.2.1: IBM Cloud Private 3.2.1 Patch

For IBM Cloud Private 3.2.2: IBM Cloud Private 3.2.2 Patch

For IBM Cloud Private 3.1.0:

• Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.2.

Workarounds and Mitigations

None