Vulnerabilities > CVE-2018-3825 - Insecure Default Initialization of Resource vulnerability in Elastic Cloud Enterprise

CVSS 5.9 - MEDIUM

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

high complexity

elastic

CWE-1188

NVD

Published: 2018-09-19

Updated: 2019-10-09

Summary

In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten, this master key is predictable across all ECE deployments. If an attacker can connect to ZooKeeper directly they would be able to access configuration information of other tenants if their cluster ID is known.

Vulnerable Configurations

Part	Description	Count
Application	Elastic Elastic Elastic Cloud Enterprise - Elastic Elastic Cloud Enterprise 1.0.0 Elastic Elastic Cloud Enterprise 1.0.1 Elastic Elastic Cloud Enterprise 1.0.2 Elastic Elastic Cloud Enterprise 1.1.0 Elastic Elastic Cloud Enterprise 1.1.1 Elastic Elastic Cloud Enterprise 1.1.2 Elastic Elastic Cloud Enterprise 1.1.3	8

Common Weakness Enumeration (CWE)

CWE-1188 - Insecure Default Initialization of Resource

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References