CVE-2017-8445
First published: Fri Aug 18 2017(Updated: )
An error was found in the X-Pack Security TLS trust manager for versions 5.0.0 to 5.5.1. If reloading the trust material fails the trust manager will be replaced with an instance that trusts all certificates. This could allow any node using any certificate to join a cluster. The proper behavior in this instance is for the TLS trust manager to deny all certificates.
Credit: bressers@elastic.co
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Elastic | >=5.0.0<=5.5.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2017-8445?
CVE-2017-8445 is classified as a high severity vulnerability due to its potential to allow unauthorized nodes to join a secure cluster.
How do I fix CVE-2017-8445?
To fix CVE-2017-8445, update your X-Pack Security to a version newer than 5.5.1 to ensure proper TLS trust management.
What versions are affected by CVE-2017-8445?
CVE-2017-8445 affects Elastic X-Pack versions from 5.0.0 to 5.5.1.
What could happen if CVE-2017-8445 is exploited?
If CVE-2017-8445 is exploited, it could allow an attacker to introduce malicious nodes into a cluster by trusting any certificate.
Is CVE-2017-8445 a local or remote vulnerability?
CVE-2017-8445 is considered a remote vulnerability since it can be exploited over the network by connecting unauthorized nodes.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/references
- agent/severity
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/elastic
- canonical/elastic
- version/elastic/5.0.0
- version/elastic/5.5.1