Elasticsearch Service
- Release Notes and Announcements
- Product Announcements
- Security Announcement
- Product Introduction
- Performance
- ES Kernel Enhancement
- Getting Started
- ES Serverless Guide
- Quick Start
- Index Management
- Data Application Guide
- Elasticsearch Guide
- Cluster Scaling
- Cluster Configuration
- Plugin Configuration
- Monitoring and Alarming
- Log Query
- Practical Tutorial
- Data Migration and Sync
- Use Case Construction
- Index Configuration
- API Documentation
- Instance APIs
- Making API Requests
- FAQs
DocumentationElasticsearch ServiceRelease Notes and AnnouncementsSecurity AnnouncementNotice for CVE-2021-22145 Vulnerability
Notice for CVE-2021-22145 Vulnerability
Last updated: 2025-02-20 17:26:43
Vulnerability Description
Tencent Cloud Elasticsearch Service (ES) version 7.10.1 is affected by the CVE-2021-22145 vulnerability. A user with permission to submit arbitrary queries to Elasticsearch may submit malformed queries, which result in error messages returned containing previously used portions of data buffers. These buffers may contain sensitive information, such as Elasticsearch documents or authentication details, causing possible information leakage. If authentication information for high-privilege accounts is obtained by hackers, they can achieve permission escalation. For the details about the vulnerability, see NVD - cve-2021-22145.
Impact
Tencent Cloud ES clusters of Elasticsearch version 7.10.1 (including Platinum and Basic Editions) are affected by this vulnerability. Users of affected clusters may follow the instructions below to perform remediation.
Solution
Upgrade the Elasticsearch version of your ES clusters to 7.14.2 or higher in the ES console. Before upgrading, follow the instructions in the console to perform relevant checks and select the appropriate upgrade method. For the operation instructions, see Upgrading ES Clusters.
Alternatively, you can prevent related risks through access control management, if you do not want to upgrade the clusters at the moment.
For the clusters that do not need public network access, disable the public network access. Clusters with public network access disabled can only be accessed within the VPC, which effectively ensures the security of query submissions.
For the clusters that need public network access, configure a public network access policy to control the allowlist IP addresses and ensure that only trusted IP addresses can access the ES clusters.
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No