Today we are pleased to announce the bugfix releases of Elasticsearch 6.2.3 and Elasticsearch 6.1.4. Elasticsearch 6.2.3 is the latest stable release, and is already available for deployment on Elastic Cloud, our Elasticsearch-as-a-service platform.
Latest stable release in 6.x:
- Download Elasticsearch 6.2.3
- Elasticsearch 6.2.3 release notes
- Elasticsearch 6.2 breaking changes
- X-Pack 6.2.3 release notes
Release 6.2.3 includes a security fix for SAML Authentication and impacted folks should upgrade to this new release as soon as possible.
X-Pack Security SAML vulnerability (ESA-2018-07)
X-Pack Security versions 6.2.0, 6.2.1, and 6.2.2 are vulnerable to a user impersonation attack via incorrect XML canonicalization and DOM traversal. An attacker might have been able to impersonate a legitimate user if the SAML Identity Provider allows for self registration with arbitrary identifiers and the attacker can register an account which an identifier that shares a suffix with a legitimate account. Both of those conditions must be true in order to exploit this flaw.
Affected Versions: X-Pack Security 6.2.0, 6.2.1, and 6.2.2
CVE ID: CVE-2018-3822