Source: opensearch X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerabilities were published for opensearch. It's not fully clear to me which affect the bits packaged in Debian and which not. CVE-2023-45807[0]: | OpenSearch is a community-driven, open source fork of Elasticsearch | and Kibana following the license change in early 2021. There is an | issue with the implementation of tenant permissions in OpenSearch | Dashboards where authenticated users with read-only access to a | tenant can perform create, edit and delete operations on index | metadata of dashboards and visualizations in that tenant, | potentially rendering them unavailable. This issue does not affect | index data, only metadata. Dashboards correctly enforces read-only | permissions when indexing and updating documents. This issue does | not provide additional read access to data users don’t already have. | This issue can be mitigated by disabling the tenants functionality | for the cluster. Versions 1.3.14 and 2.11.0 contain a fix for this | issue. https://github.com/opensearch-project/security/security/advisories/GHSA-72q2-gwwf-6hrv CVE-2023-31141[1]: | OpenSearch is open-source software suite for search, analytics, and | observability applications. Prior to versions 1.3.10 and 2.7.0, | there is an issue with the implementation of fine-grained access | control rules (document-level security, field-level security and | field masking) where they are not correctly applied to the queries | during extremely rare race conditions potentially leading to | incorrect access authorization. For this issue to be triggered, two | concurrent requests need to land on the same instance exactly when | query cache eviction happens, once every four hours. OpenSearch | 1.3.10 and 2.7.0 contain a fix for this issue. https://github.com/opensearch-project/security/security/advisories/GHSA-g8xc-6mf7-h28h CVE-2023-23613[2]: | OpenSearch is an open source distributed and RESTful search engine. | In affected versions there is an issue in the implementation of | field-level security (FLS) and field masking where rules written to | explicitly exclude fields are not correctly applied for certain | queries that rely on their auto-generated .keyword fields. This | issue is only present for authenticated users with read access to | the indexes containing the restricted fields. This may expose data | which may otherwise not be accessible to the user. OpenSearch | 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. Users are advised to | upgrade to OpenSearch 1.3.8 or 2.5.0. Users unable to upgrade may | write explicit exclusion rules as a workaround. Policies authored in | this way are not subject to this issue. https://github.com/opensearch-project/security/security/advisories/GHSA-v3cg-7r9h-r2g6 CVE-2023-23612[3]: | OpenSearch is an open source distributed and RESTful search engine. | OpenSearch uses JWTs to store role claims obtained from the Identity | Provider (IdP) when the authentication backend is SAML or OpenID | Connect. There is an issue in how those claims are processed from | the JWTs where the leading and trailing whitespace is trimmed, | allowing users to potentially claim roles they are not assigned to | if any role matches the whitespace-stripped version of the roles | they are a member of. This issue is only present for authenticated | users, and it requires either the existence of roles that match, not | considering leading/trailing whitespace, or the ability for users to | create said matching roles. In addition, the Identity Provider must | allow leading and trailing spaces in role names. OpenSearch | 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. Users are advised to | upgrade to OpenSearch 1.3.8 or 2.5.0. There are no known workarounds | for this issue. https://github.com/opensearch-project/security/security/advisories/GHSA-864v-6qj7-62qj If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-45807 https://www.cve.org/CVERecord?id=CVE-2023-45807 [1] https://security-tracker.debian.org/tracker/CVE-2023-31141 https://www.cve.org/CVERecord?id=CVE-2023-31141 [2] https://security-tracker.debian.org/tracker/CVE-2023-23613 https://www.cve.org/CVERecord?id=CVE-2023-23613 [3] https://security-tracker.debian.org/tracker/CVE-2023-23612 https://www.cve.org/CVERecord?id=CVE-2023-23612 Please adjust the affected versions in the BTS as needed.