Release Notes
Product Announcements
Security Announcement
Notice for CVE-2021-22145 Vulnerability
Vulnerability Description
Tencent Cloud Elasticsearch Service (ES) version 7.10.1 is affected by the CVE-2021-22145 vulnerability. A user with permission to submit arbitrary queries to Elasticsearch may submit malformed queries, which result in error messages returned containing previously used portions of data buffers. These buffers may contain sensitive information, such as Elasticsearch documents or authentication details, causing possible information leakage. If authentication information for high-privilege accounts is obtained by hackers, they can achieve permission escalation. For the details about the vulnerability, see NVD - cve-2021-22145.
Impact
Tencent Cloud ES clusters of Elasticsearch version 7.10.1 (including Platinum and Basic Editions) are affected by this vulnerability. Users of affected clusters may follow the instructions below to perform remediation.
Solution
Upgrade the Elasticsearch version of your ES clusters to 7.14.2 or higher in the ES console. Before upgrading, follow the instructions in the console to perform relevant checks and select the appropriate upgrade method. For the operation instructions, see Upgrading ES Clusters.
Alternatively, you can prevent related risks through access control management, if you do not want to upgrade the clusters at the moment.
For the clusters that do not need public network access, disable the public network access. Clusters with public network access disabled can only be accessed within the VPC, which effectively ensures the security of query submissions.
For the clusters that need public network access, configure a public network access policy to control the allowlist IP addresses and ensure that only trusted IP addresses can access the ES clusters.
フィードバック