CVE-2022-23708 Overview
A flaw was discovered in Elasticsearch 7.17.0's upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated users with "*" index permissions access to this index. This vulnerability represents a Broken Access Control issue that could expose sensitive security configuration data to unauthorized users.
Critical Impact
Authenticated users with wildcard index permissions can gain unauthorized access to the security index, potentially exposing sensitive security configuration data including user credentials and role definitions.
Affected Products
- Elastic Elasticsearch 7.17.0
- Elasticsearch instances upgraded from version 6.x to 7.x using the upgrade assistant
- Deployments where users have "*" index permissions configured
Discovery Timeline
- 2022-03-03 - CVE-2022-23708 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-23708
Vulnerability Analysis
This vulnerability affects the upgrade assistant component within Elasticsearch 7.17.0. During the migration process from version 6.x to 7.x, the upgrade assistant inadvertently disables built-in protections that normally restrict access to the .security index. The security index is a critical internal index that stores authentication and authorization data, including user accounts, roles, and API keys.
Under normal circumstances, access to this index is strictly controlled regardless of a user's configured index permissions. However, after an affected upgrade, authenticated users who have been granted wildcard (*) index permissions can bypass these protections and directly query or modify the security index contents.
Root Cause
The root cause stems from a flaw in the upgrade assistant's migration logic. When performing the upgrade from Elasticsearch 6.x to 7.x, the process fails to properly preserve or reinitialize the security index protections. This results in the security index being treated as a standard index rather than a protected system index, effectively removing the access control layer that should restrict its visibility.
Attack Vector
The attack vector requires network access and authentication to the Elasticsearch cluster. An attacker must possess valid credentials for an account that has been granted wildcard (*) index access permissions. Once authenticated, the attacker can directly query the .security index to retrieve sensitive data such as hashed passwords, user role mappings, and API key configurations. This information disclosure could facilitate further privilege escalation or credential theft attacks.
The vulnerability is exploited through standard Elasticsearch API calls targeting the security index. For example, authenticated users could enumerate all documents in the .security index or perform targeted searches for specific user accounts or role definitions.
Detection Methods for CVE-2022-23708
Indicators of Compromise
- Unexpected API requests targeting the .security index from non-administrative users
- Audit log entries showing successful reads or queries against the .security index by accounts that should not have access
- Unusual patterns of index enumeration or bulk data retrieval operations
- Evidence of credential harvesting or role enumeration activities in access logs
Detection Strategies
- Enable and review Elasticsearch audit logs for any access attempts to the .security index
- Monitor for search or get requests targeting .security* indices from user accounts
- Implement alerting on wildcard index access patterns that include system indices
- Review user permission configurations to identify accounts with overly broad * index permissions
Monitoring Recommendations
- Configure centralized log aggregation for all Elasticsearch audit events
- Create dashboards to visualize access patterns to protected system indices
- Establish baseline access patterns and alert on deviations
- Periodically audit user accounts and their associated index permissions
How to Mitigate CVE-2022-23708
Immediate Actions Required
- Upgrade to Elasticsearch 7.17.1 or later which addresses this vulnerability
- Review all user accounts with wildcard (*) index permissions and restrict access scope
- Audit the security index for any unauthorized access or modifications
- Reset credentials for any accounts that may have been exposed
Patch Information
Elastic has released version 7.17.1 to address this vulnerability. The security update restores proper protections on the security index after upgrades. Detailed information about the fix is available in the Elastic Stack 7.17.1 Security Update. Additional guidance may be found in the NetApp Security Advisory NTAP-20220729-0003.
Workarounds
- Avoid granting wildcard (*) index permissions; use explicit index patterns that exclude system indices
- Implement additional network segmentation to restrict Elasticsearch API access to trusted hosts
- Enable and closely monitor audit logging for all security index access attempts
- Consider temporarily restricting access to the Elasticsearch cluster until the patch can be applied
# Review users with wildcard index permissions
# Use the Elasticsearch Security API to audit role mappings
# List all roles and check for "*" index privileges
GET /_security/role
# Restrict role to exclude system indices (example)
PUT /_security/role/limited_user
{
"indices": [
{
"names": ["*", "-.*"],
"privileges": ["read", "write"]
}
]
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
