CA AXA 17.3 uses Elasticsearch v5.5.3 which is highlighted in vulnerability CVE-2018-3831

Document ID : KB000118661
Last Modified Date : 30/10/2018
Show Technical Document Details
Issue:
CA AXA 17.3 uses Elasticsearch v5.5.3 which is highlighted in vulnerability CVE-2018-3831:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3831
"Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details." 
Environment:
CA AXA 17.3.x
Resolution:
A question was raised directly  by CA AXA Engineering with Elasticsearch per this URL: https://discuss.elastic.co/t/es-vulnerability-cve-2018-3831/153883
*****
naysw01
Is CVE-2018-3831(Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API) applicable to standard elasticsearch or just elasticsearch with xpack plugin?
Thanks!
*****
Tim Vernum
Elasticsearch Engineering
The underlying issue with the _cluster/settings API affects standard elasticsearch, but the only secrets that are stored in dynamic cluster settings are part of x-pack, so there would be no information disclosure if x-pack isn't installed.
The issue could affect other plugins that store secrets in cluster settings.
*****


Only the standard Elasticsearch is distributed with AXA 17.3.x and there is no X-Pack or other plugin deployed, so the vulnerability CVE-2018-3831 does not apply to the Elasticsearch version 5.5.3 running under AXA 17.3.x.