RSS   Podatności dla 'Elastic cloud enterprise'   RSS

2018-09-19
 
CVE-2018-3829

CWE-290
 
 
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 it was discovered that a user could scale out allocators on new hosts with an invalid roles token. An attacker with access to the previous runner ID and IP address of the coordinator-host could add a allocator to an existing ECE install to gain access to other clusters data.

 
 
CVE-2018-3828

CWE-532
 
 
Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 contain an information exposure vulnerability. It was discovered that certain exception conditions would result in encryption keys, passwords, and other security sensitive headers being leaked to the allocator logs. An attacker with access to the logging cluster may obtain leaked credentials and perform authenticated actions using these credentials.

 
 
CVE-2018-3825

CWE-1188
 
 
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten, this master key is predictable across all ECE deployments. If an attacker can connect to ZooKeeper directly they would be able to access configuration information of other tenants if their cluster ID is known.

 

 >>> Vendor: Elastic 16 Produkty
Logstash
Elasticsearch
Kibana
X-pack
Kibana reporting
Azure repository
Apm-agent-ruby
Elastic cloud enterprise
Elasticsearch x-pack
Kibana x-pack
Logstash x-pack
Winlogbeat
Apm agent
Elastic cloud on kubernetes
Elastic app search
Enterprise search

Copyright 2024, cxsecurity.com

 

Back to Top