Lucene search

K
ibmIBM973CA10E8C7DDE9E13D3B2D1342D683F6B5E90F5D0965B95D68071D95D63CBB7
HistoryJan 04, 2022 - 8:59 p.m.

Security Bulletin: Vulnerability in Elasticsearch affects IBM Cloud Private (CVE-2021-22138)

2022-01-0420:59:16
www.ibm.com
18

EPSS

0.001

Percentile

28.7%

Summary

There is a vulnerability in the Elasticsearch open source library. The library is used by IBM Cloud Private logging. This bulletin identifies the security fixes to apply to address the Elasticsearch vulnerability (CVE-2021-22138).

Vulnerability Details

CVEID:CVE-2021-22138
**DESCRIPTION:**Elasticsearch Logstash is vulnerable to a man-in-the-middle attack, caused by a flaw in the TLS certificate validation. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system.
CVSS Base score: 2.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/202059 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Cloud Private 3.2.1 CD
IBM Cloud Private 3.2.2 CD

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading.

The recommended solution involves the IBM Cloud Private ibm-icplogging component. It is recommended that you follow the instructions for the component in the links listed below:

For IBM Cloud Private 3.1.1: IBM Cloud Private 3.1.1 Patch

For IBM Cloud Private 3.1.2: IBM Cloud Private 3.1.2 Patch

For IBM Cloud Private 3.2.0: IBM Cloud Private 3.2.0 Patch

For IBM Cloud Private 3.2.1: IBM Cloud Private 3.2.1 Patch

For IBM Cloud Private 3.2.2: IBM Cloud Private 3.2.2 Patch

For IBM Cloud Private 3.1.0:

  • Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.2.

Workarounds and Mitigations

None

EPSS

0.001

Percentile

28.7%

Related for 973CA10E8C7DDE9E13D3B2D1342D683F6B5E90F5D0965B95D68071D95D63CBB7