Debian Bug report logs -
#1054912
opensearch: CVE-2023-45807 CVE-2023-31141 CVE-2023-23613 CVE-2023-23612
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#1054912; Package src:opensearch.
(Sat, 28 Oct 2023 14:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sat, 28 Oct 2023 14:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: opensearch
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for opensearch.
It's not fully clear to me which affect the bits packaged in Debian
and which not.
CVE-2023-45807[0]:
| OpenSearch is a community-driven, open source fork of Elasticsearch
| and Kibana following the license change in early 2021. There is an
| issue with the implementation of tenant permissions in OpenSearch
| Dashboards where authenticated users with read-only access to a
| tenant can perform create, edit and delete operations on index
| metadata of dashboards and visualizations in that tenant,
| potentially rendering them unavailable. This issue does not affect
| index data, only metadata. Dashboards correctly enforces read-only
| permissions when indexing and updating documents. This issue does
| not provide additional read access to data users don’t already have.
| This issue can be mitigated by disabling the tenants functionality
| for the cluster. Versions 1.3.14 and 2.11.0 contain a fix for this
| issue.
https://github.com/opensearch-project/security/security/advisories/GHSA-72q2-gwwf-6hrv
CVE-2023-31141[1]:
| OpenSearch is open-source software suite for search, analytics, and
| observability applications. Prior to versions 1.3.10 and 2.7.0,
| there is an issue with the implementation of fine-grained access
| control rules (document-level security, field-level security and
| field masking) where they are not correctly applied to the queries
| during extremely rare race conditions potentially leading to
| incorrect access authorization. For this issue to be triggered, two
| concurrent requests need to land on the same instance exactly when
| query cache eviction happens, once every four hours. OpenSearch
| 1.3.10 and 2.7.0 contain a fix for this issue.
https://github.com/opensearch-project/security/security/advisories/GHSA-g8xc-6mf7-h48h
CVE-2023-23613[2]:
| OpenSearch is an open source distributed and RESTful search engine.
| In affected versions there is an issue in the implementation of
| field-level security (FLS) and field masking where rules written to
| explicitly exclude fields are not correctly applied for certain
| queries that rely on their auto-generated .keyword fields. This
| issue is only present for authenticated users with read access to
| the indexes containing the restricted fields. This may expose data
| which may otherwise not be accessible to the user. OpenSearch
| 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. Users are advised to
| upgrade to OpenSearch 1.3.8 or 2.5.0. Users unable to upgrade may
| write explicit exclusion rules as a workaround. Policies authored in
| this way are not subject to this issue.
https://github.com/opensearch-project/security/security/advisories/GHSA-v3cg-7r9h-r2g6
CVE-2023-23612[3]:
| OpenSearch is an open source distributed and RESTful search engine.
| OpenSearch uses JWTs to store role claims obtained from the Identity
| Provider (IdP) when the authentication backend is SAML or OpenID
| Connect. There is an issue in how those claims are processed from
| the JWTs where the leading and trailing whitespace is trimmed,
| allowing users to potentially claim roles they are not assigned to
| if any role matches the whitespace-stripped version of the roles
| they are a member of. This issue is only present for authenticated
| users, and it requires either the existence of roles that match, not
| considering leading/trailing whitespace, or the ability for users to
| create said matching roles. In addition, the Identity Provider must
| allow leading and trailing spaces in role names. OpenSearch
| 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. Users are advised to
| upgrade to OpenSearch 1.3.8 or 2.5.0. There are no known workarounds
| for this issue.
https://github.com/opensearch-project/security/security/advisories/GHSA-864v-6qj7-62qj
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-45807
https://www.cve.org/CVERecord?id=CVE-2023-45807
[1] https://security-tracker.debian.org/tracker/CVE-2023-31141
https://www.cve.org/CVERecord?id=CVE-2023-31141
[2] https://security-tracker.debian.org/tracker/CVE-2023-23613
https://www.cve.org/CVERecord?id=CVE-2023-23613
[3] https://security-tracker.debian.org/tracker/CVE-2023-23612
https://www.cve.org/CVERecord?id=CVE-2023-23612
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 28 Oct 2023 15:24:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Oct 28 17:55:03 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon