Uploaded image for project: 'Couchbase Elasticsearch Connector'
  1. Couchbase Elasticsearch Connector
  2. CBES-213

Sanitize Elasticsearch failure messages

    XMLWordPrintable

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 4.3.0, 4.2.12
    • Security Level: Public
    • None
    • 1

    Description

      Versions of Elasticsearch between 7.10.0 and 7.13.3 inclusive have a bug that can cause user credentials to appear in indexing failure messages (CVE-2021-22145, fixed in Elasticsearch 7.13.4).

      The connector logs indexing failure messages, and also writes them to the "redaction log" elasticsearch index. In order to mitigate the Elasticsearch CVE, redact failure messages that look like they might contain sensitive information.

      Attachments

        Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            There are no comments yet on this issue.

            People

              david.nault David Nault
              david.nault David Nault
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty