Product release

Elasticsearch 5.4.1 and 5.3.3 released

Today we are pleased to announce bug fix releases of Elasticsearch 5.4.1, based on Lucene 6.5.1, and Elasticsearch 5.3.3, based on Lucene 6.4.2. Elasticsearch 5.4.1 is the latest stable release, and is already available for deployment on Elastic Cloud, our Elasticsearch-as-a-service platform. This release includes two security bug fixes — all users of X-Pack Security should upgrade.

Latest stable release in 5.x:

Bugfix release in 5.3:

You can read about all the changes in the release notes linked above, but there are a few changes which are worth highlighting below.

X-Pack Document Level Security and Aliases (ESA-2017-09)

X-Pack Security versions prior to 5.4.1 and 5.3.3 did not always correctly apply Document Level Security to index aliases. This bug could allow a user with restricted permissions to view data they should not have access to when performing certain operations against an index alias.

Affected versions

X-Pack Security 5.0.0 to 5.4.0 is affected by this flaw.

Solution and Mitigations

All users of X-Pack security should upgrade to version 5.3.3 or 5.4.1. If you cannot upgrade, disabling the request cache on the index will mitigate this bug.

CVE ID: CVE-2017-8441

X-Pack Privilege Escalation (ESA-2017-06)

This release fixes a privilege escalation bug in the run_as functionality. This bug prevents transitioning into the specified user specified in a run_as request. If a role has been created using a template that contains any of the _user properties, the behavior of run_as will be incorrect. Additionally if the run_as user specified does not exist, the transition will not happen.

Generally when using the run_as functionality a user will transition to a different user. This bug will cause the role query to execute as the user which authenticated to Elasticsearch, not the user specified via run_as. This could result in a query returning incorrect or unexpected results.

If you are not using run_as functionality or the _user properties you are not affected by this issue.

Affected versions

X-Pack Security 5.0.0 to 5.4.0 is affected by this flaw.

Solution and Mitigations

If you are affected by this issue, we suggest you upgrade your Elastic Stack to version 5.4.1 If you are unable to upgrade, removing use of the {{_user.username}} placeholder and ensuring the run_as setting cannot be modified by untrusted users is a valid solution.

CVE ID: CVE-2017-8438

Other important changes

  • A bug with single-shard scroll could result in X-Pack Security causing a node to die with OOM.
  • Elasticsearch 5.4.0 with TLS enabled could not authenticate nodes from 5.3.x and before.
  • Authenticated LDAP users could remain cached after their authentication had been revoked.
  • Netty now respects the processors setting when sizing thread pools, buffer pools, and other resources, instead of potentially oversizing these resources when running on a node with other containers.
  • Index setting updates on a closed index are now validated, to protect users from creating bad settings which may prevent the index from being reopened.
  • Bugs have been fixed in the sniffing protocol of the transport client which could result in the client hanging.
  • The HDFS repository plugin in KERBEROS security mode clashed with the Java Security Manager.
  • Snapshot/restore retrieval of all snapshots in Elasticsearch 5.2.x and above was very slow.

Conclusion

Please download Elasticsearch 5.4.1, try it out, and let us know what you think on Twitter (@elastic) or in our forum. You can report any problems on the GitHub issues page.