CVE-2020-7021 Overview
CVE-2020-7021 is an information disclosure vulnerability affecting Elasticsearch versions before 7.10.0 and 6.8.14. When audit logging is enabled with the emit_request_body option, the Elasticsearch audit log may contain sensitive information such as password hashes or authentication tokens. This vulnerability could allow an Elasticsearch administrator with access to audit logs to view these sensitive authentication details, potentially leading to credential theft or unauthorized access escalation.
Critical Impact
Sensitive authentication data including password hashes and tokens may be exposed in audit logs, enabling administrators to harvest credentials.
Affected Products
- Elastic Elasticsearch versions before 7.10.0
- Elastic Elasticsearch versions before 6.8.14
- Systems with audit logging enabled and emit_request_body option configured
Discovery Timeline
- 2021-02-10 - CVE-2020-7021 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-7021
Vulnerability Analysis
This vulnerability is classified under CWE-532 (Insertion of Sensitive Information into Log File). The issue arises from improper handling of request body content during audit logging operations. When Elasticsearch's audit logging feature is configured with the emit_request_body option enabled, the system logs the complete HTTP request body for auditable events. This behavior becomes problematic when authentication-related API requests are processed, as the logged content may include plaintext credentials, password hashes, or authentication tokens submitted by users during login or credential update operations.
The vulnerability requires network access but is limited in scope as exploitation requires elevated privileges—specifically, an attacker must already possess administrative access to the Elasticsearch cluster to read audit logs. However, this limitation does not diminish the risk in multi-administrator environments or scenarios where audit logs are forwarded to centralized logging systems with broader access.
Root Cause
The root cause of this vulnerability lies in insufficient filtering of sensitive data before writing to audit logs. The emit_request_body audit logging option was designed to provide detailed request information for compliance and debugging purposes, but the implementation failed to properly redact or mask sensitive authentication fields from the logged request bodies. Password hashes and authentication tokens contained in authentication API requests were written directly to the audit log without sanitization.
Attack Vector
The attack vector for CVE-2020-7021 requires network-based access with high privileges. An attacker exploiting this vulnerability would need:
- Administrative access to the Elasticsearch cluster
- Audit logging enabled with emit_request_body option
- Access to read audit log files or the audit log index
Once these conditions are met, the attacker can review audit logs to extract sensitive authentication information from previously logged requests. This could include password hashes that might be cracked offline, or authentication tokens that could be used for session hijacking or replay attacks.
Detection Methods for CVE-2020-7021
Indicators of Compromise
- Unusual access patterns to audit log indices or files by administrative accounts
- Bulk export or repeated queries against audit log data
- Presence of authentication-related fields (password hashes, tokens) in audit log entries
Detection Strategies
- Monitor access to Elasticsearch audit log indices for anomalous query patterns
- Implement alerting on administrative access to audit log storage locations
- Review audit log configurations to identify instances where emit_request_body is enabled
- Audit administrative account activity for unauthorized credential harvesting behavior
Monitoring Recommendations
- Enable access logging on audit log files and indices to track who accesses sensitive log data
- Implement role-based access controls limiting audit log visibility to essential personnel only
- Deploy file integrity monitoring on audit log directories to detect unauthorized access or exfiltration
- Consider integrating Elasticsearch security events with SentinelOne Singularity platform for centralized threat detection
How to Mitigate CVE-2020-7021
Immediate Actions Required
- Upgrade Elasticsearch to version 7.10.0 or later for the 7.x branch
- Upgrade Elasticsearch to version 6.8.14 or later for the 6.x branch
- Review and rotate any credentials that may have been exposed in existing audit logs
- Restrict access to audit log files and indices to minimize exposure
Patch Information
Elastic has released security updates addressing this vulnerability. The fixes are included in Elasticsearch versions 7.10.0+ and 6.8.14+. Detailed information about the security update is available in the Elastic Stack Security Update. Additional vendor guidance is available from the NetApp Security Advisory.
Workarounds
- Disable the emit_request_body option in audit logging configuration if not strictly required
- Implement additional access controls on audit log storage to limit exposure
- Configure audit log rotation and secure deletion to minimize the window of credential exposure
- Consider excluding authentication-related API endpoints from detailed audit logging
# Configuration example - Disable emit_request_body in elasticsearch.yml
# Review your xpack.security.audit settings
xpack.security.audit.enabled: true
xpack.security.audit.logfile.events.emit_request_body: false
# Alternatively, use include/exclude filters to prevent logging auth endpoints
xpack.security.audit.logfile.events.exclude: ["authentication_success", "authentication_failed"]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
