Login Sign Up

CVE-2021-22146

7.5 HIGH
Authentication Bypass

📋 TL;DR

Elastic Cloud Enterprise versions have the Elasticsearch 'anonymous' user enabled by default, allowing attackers to query cluster details without authentication. While the default anonymous user has no permissions to access data, attackers can still gather information about the cluster configuration. This affects all Elastic Cloud Enterprise deployments with default settings.

💻 Affected Systems

Products:
  • Elastic Cloud Enterprise
Versions: All versions prior to fixes
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Affects default deployments where anonymous user is enabled. Elastic Cloud Enterprise (ECE) deployments only, not standalone Elasticsearch.

📦 What is this software?

Elasticsearch by Elastic

View all CVEs affecting Elasticsearch →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could map cluster topology, identify node information, and potentially discover other vulnerabilities or misconfigurations that could lead to further exploitation.

🟠

Likely Case

Information disclosure about cluster configuration, node details, and deployment architecture that could aid in reconnaissance for more targeted attacks.

🟢

If Mitigated

Limited to no impact if anonymous user is disabled or proper network segmentation prevents access.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to Elasticsearch API endpoints. Public proof-of-concept demonstrates information gathering capabilities.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ECE 3.0.0 and later

Vendor Advisory: https://discuss.elastic.co/t/elastic-cloud-enterprise-security-update/279180

Restart Required: Yes

Instructions:

1. Upgrade Elastic Cloud Enterprise to version 3.0.0 or later. 2. Follow Elastic's upgrade documentation for your deployment. 3. Verify the anonymous user is disabled in cluster settings.

🔧 Temporary Workarounds

Disable Anonymous User

all

Manually disable the anonymous user in Elasticsearch configuration

Update elasticsearch.yml: xpack.security.authc.anonymous.username: _anonymous
xpack.security.authc.anonymous.roles: []
xpack.security.authc.anonymous.authz_exception: false

Network Segmentation

all

Restrict access to Elasticsearch API endpoints

Configure firewall rules to limit access to Elasticsearch ports (9200, 9300)
Use network security groups or ACLs to restrict source IPs

🧯 If You Can't Patch

  • Implement strict network access controls to limit who can reach Elasticsearch API endpoints
  • Monitor for unauthorized access attempts to Elasticsearch APIs and review audit logs regularly

🔍 How to Verify

Check if Vulnerable:

Attempt to query Elasticsearch API endpoints without authentication: curl -X GET http://<elasticsearch-host>:9200/_cluster/health

Check Version:

ece version (for ECE) or curl http://<elasticsearch-host>:9200 (for Elasticsearch version)

Verify Fix Applied:

Verify anonymous user queries return proper authentication errors: curl -X GET http://<elasticsearch-host>:9200/_cluster/health should return 401 Unauthorized

📡 Detection & Monitoring

Log Indicators:

  • Unauthenticated requests to Elasticsearch API endpoints
  • Requests from unexpected source IPs to Elasticsearch ports
  • Failed authentication attempts for '_anonymous' user

Network Indicators:

  • Unencrypted traffic to Elasticsearch API ports from unauthorized sources
  • Repeated connection attempts to port 9200/9300

SIEM Query:

source.port:9200 OR source.port:9300 AND (http.status_code:200 OR http.method:GET) AND NOT user.authenticated:true

📊 Metadata

CVE ID: CVE-2021-22146
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Published: July 21, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON