CA AXA 17.3 uses Elasticsearch v5.5.3 which is highlighted in vulnerability CVE-2018-3831
Document ID :
Last Modified Date :
Show Technical Document Details
CA App Experience Analytics
APP EXPERIENCE ANALYTICS ENGINE:AXAENG
CA AXA 17.3 uses Elasticsearch v5.5.3 which is highlighted in vulnerability CVE-2018-3831:
Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details.
CA AXA 17.3.x
A question was raised directly by CA AXA Engineering with Elasticsearch per this URL:
Is CVE-2018-3831(Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API) applicable to standard elasticsearch or just elasticsearch with xpack plugin?
The underlying issue with the _cluster/settings API affects standard elasticsearch, but the only secrets that are stored in dynamic cluster settings are part of x-pack, so there would be no information disclosure if x-pack isn't installed.
The issue could affect other plugins that store secrets in cluster settings.
Only the standard Elasticsearch is distributed with AXA 17.3.x and there is no X-Pack or other plugin deployed, so the vulnerability CVE-2018-3831 does not apply to the Elasticsearch version 5.5.3 running under AXA 17.3.x.
Was this information helpful?