Search Guard Suite 52.6
Release Date: 2022-01-10
This is a bugfix release for a critical security issue for users which use filter-level DLS with msearch queries. Filter-level DLS was introduced in Search Guard 52.0; in the default configuration, it is only active when you are using term-lookup queries as DSL queries in the
sg_roles.yml file. Alternatively, it can be enabled using the configuration option
If you are using filter-level DLS, we are strongly recommending to apply this update soon.
Security Bug Fixes
Unauthorized Access on Indices Protected By Fiter-Level DLS using
A flaw was discovered in Search Guard where
msearch actions on indices protected by filter-level DLS could return all documents of the index instead of just the documents filtered by the DLS query. This flaw can occur non-deterministically. In most cases the result would be correct. In sporadic cases, however, the flaw might return an unfiltered query result.
Users who can customize the
msearch request flags, however, have the ability to trigger the flaw in a deterministic manner.
Search Guard versions 52.0.0 to 52.5.0.
Update to Search Guard version 52.6.0.
Do not grant
msearch privileges on indices protected by filter-level DLS.