CVE-2017-8445

An error was found in the X-Pack Security TLS trust manager for versions 5.0.0 to 5.5.1. If reloading the trust material fails the trust manager will be replaced with an instance that trusts all certificates. This could allow any node using any certificate to join a cluster. The proper behavior in this instance is for the TLS trust manager to deny all certificates.

CVSS v3 5.5 MEDIUM
CVSS v2.0 2.1 LOW

5.5^/10

CVSS v3 : MEDIUM

Vector : AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://www.elastic.co/community/security	Vendor Advisory
https://www.elastic.co/community/security	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:elastic:x-pack:*:*:*:*:*:*:*:*

History

21 Nov 2024, 03:34

Type	Values Removed	Values Added
References	~~() https://www.elastic.co/community/security - Vendor Advisory~~	() https://www.elastic.co/community/security - Vendor Advisory

Information

Published : 2017-08-18 20:29

Updated : 2024-11-21 03:34

NVD link : CVE-2017-8445

Mitre link : CVE-2017-8445

CVE.ORG link : CVE-2017-8445

JSON object : View

Products Affected

elastic

x-pack

CWE

CWE-295

Improper Certificate Validation

{"id": "CVE-2017-8445", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2017-08-18T20:29:00.257", "references": [{"url": "https://www.elastic.co/community/security", "tags": ["Vendor Advisory"], "source": "bressers@elastic.co"}, {"url": "https://www.elastic.co/community/security", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "bressers@elastic.co", "description": [{"lang": "en", "value": "CWE-295"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "An error was found in the X-Pack Security TLS trust manager for versions 5.0.0 to 5.5.1. If reloading the trust material fails the trust manager will be replaced with an instance that trusts all certificates. This could allow any node using any certificate to join a cluster. The proper behavior in this instance is for the TLS trust manager to deny all certificates."}, {"lang": "es", "value": "Se ha encontrado un error en el administrador de confianza X-Pack Security TLS en las versiones de la 5.0.0 a la 5.5.1. Si la recarga del material de confianza fracasa, el administrador de confianza ser\u00e1 reemplazado por una instancia que conf\u00eda en todos los certificados. Esto podr\u00eda permitir que cualquier nodo se uniese a un cl\u00faster empleando cualquier certificado. El comportamiento adecuado en esta instancia es que el administrador de confianza TLS niegue todos los certificados."}], "lastModified": "2024-11-21T03:34:01.907", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:elastic:x-pack:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2B4F9A05-371C-44E9-8345-BC837276FA18", "versionEndIncluding": "5.5.1", "versionStartIncluding": "5.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "bressers@elastic.co"}