Weak Random Number Generator in ECK Versions Prior to 1.1.0 Allows Brute Forcing of Elasticsearch Credentials

Weak Random Number Generator in ECK Versions Prior to 1.1.0 Allows Brute Forcing of Elasticsearch Credentials

CVE-2020-7010 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Elastic Cloud on Kubernetes (ECK) versions prior to 1.1.0 generate passwords using a weak random number generator. If an attacker is able to determine when the current Elastic Stack cluster was deployed they may be able to more easily brute force the Elasticsearch credentials generated by ECK.

Learn more about our Cis Benchmark Audit For Kubernetes.