TLS Trust Manager Vulnerability in X-Pack Security by Elastic
CVE-2017-8445

5.5MEDIUM

Key Information:

Vendor: Elastic
Status: Elastic X-pack Security
Vendor: CVE Published:; 18 August 2017

Summary

A vulnerability exists in the X-Pack Security TLS trust manager, affecting versions 5.0.0 to 5.5.1. In situations where trust material reloading fails, the TLS trust manager could be replaced by an instance that bypasses certificate validation, allowing any node with any certificate to connect to the cluster. This presents a significant risk as it undermines the intended security measures, which should involve rejecting untrusted certificates to maintain secure communications between nodes.

Affected Version(s)

Elastic X-Pack Security 5.0.0 to 5.5.1

References

https://www.elastic.co/community/security

x_refsource_CONFIRM

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 18, 2017
Vulnerability Reserved
May 2, 2017