We are releasing today a critical security update for the Search Guard Suite.
It affects users which use Search Guard 42 or later on Elasticsearch 7.7.0 or later and have hidden indices (index.hidden: true) on their cluster. These users are advised to update as soon as possible or to apply the mitigation explained below.
Description:
A flaw was discovered in Search Guard where privilges were not properly evaluated for indices with the hidden flag set. This flaw could lead to authenticated users gaining access to data they are not authorized to view.
The flaw only affects indices with index.hidden: true in their settings. The flaw does not affect the internal Search Guard indices, as these are using a special protection. The flaw only allows read access; write access is not possible.
Affected Versions:
Search Guard versions 42.0.0 to 52.4.0 for Elasticsearch versions starting at 7.7.0.
Solution:
Update to Search Guard version 52.5.0.
Mitigation:
If you are unable to update to Search Guard 52.5.0 on a short term, you can apply the following mitigation:
Remove index.hidden: true from the settings of all indices. Note that this may affect queries using wildcards.
~~
Search Guard (®) is an Elasticsearch plugin that offers encryption, authentication, and authorization.
Coded with love in Berlin, Denmark, Sweden, Italy, Ukraine and the US.
Search Guard is a trademark of floragunn GmbH, registered in the U.S. and in other countries.
Elasticsearch, Kibana, Logstash, and Beats are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.