CVE-2018-3825 is a vulnerability in Elastic Cloud Enterprise
Published on September 19, 2018
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten, this master key is predictable across all ECE deployments. If an attacker can connect to ZooKeeper directly they would be able to access configuration information of other tenants if their cluster ID is known.
Weakness Type
Use of Hard-coded Cryptographic Key
The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
Products Associated with CVE-2018-3825
Want to know whenever a new CVE is published for Elastic Cloud Enterprise? stack.watch will email you.
Affected Versions
Elastic Cloud Enterprise (ECE) Version before 1.1.4 is affected by CVE-2018-3825Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.