CVE-2022-35980 is an information disclosure vulnerability affecting the OpenSearch Security plugin versions 2.0.0.0 through 2.1.0.0. OpenSearch Security is a plugin designed to provide encryption, authentication, and authorization capabilities for OpenSearch clusters. The vulnerability arises due to improper authorization checks when queries target aliased indices, specifically impacting configurations that use advanced access control features such as Document Level Security (DLS), Field Level Security (FLS), and field masking. In these configurations, requests that match an aliased index pattern bypass the intended filtering mechanisms. OpenSearch Dashboards, by default, creates an alias named `.kibana`. When access control filters are applied with a wildcard index pattern (e.g., `*`), these filters fail to restrict access to documents or fields within aliased indices like `.kibana`. Consequently, users or attackers with query access can retrieve sensitive information that should have been protected by the DLS/FLS policies. This flaw undermines the confidentiality guarantees of the security plugin, potentially exposing sensitive customer data. The issue was fixed in OpenSearch version 2.2.0 and OpenSearch Security plugin version 2.2.0.0. No workarounds are recommended, making timely patching essential. There are no known exploits in the wild as of the publication date, but the vulnerability's nature makes it a significant risk for improperly secured clusters.

For European organizations using OpenSearch with the affected security plugin versions, this vulnerability poses a risk of unauthorized data disclosure. Organizations relying on DLS, FLS, or field masking to enforce strict data access policies may find these controls ineffective against queries targeting aliased indices. This can lead to exposure of sensitive internal data, including potentially regulated personal data subject to GDPR, intellectual property, or operational secrets. The default alias `.kibana` is commonly used for storing dashboards and visualizations, which may contain sensitive metadata or configuration information. Unauthorized access to such data could facilitate further attacks or data leaks. Given the increasing adoption of OpenSearch in sectors such as finance, healthcare, and public administration across Europe, the vulnerability could impact critical infrastructure and services. The lack of a workaround means that organizations must upgrade promptly to avoid prolonged exposure. Additionally, the vulnerability could undermine trust in data governance and compliance efforts, leading to reputational damage and regulatory penalties.

1. Immediate upgrade to OpenSearch version 2.2.0 or later and OpenSearch Security plugin version 2.2.0.0 or later to apply the official fix. 2. Review and audit all OpenSearch clusters to identify instances running affected versions of the security plugin. 3. Restrict query access to trusted users only until patching is complete, minimizing exposure risk. 4. Avoid using wildcard index patterns (`*`) in access control filters where possible, especially in conjunction with aliased indices, to reduce the attack surface. 5. Implement strict network segmentation and access controls around OpenSearch clusters to limit query access to authorized personnel and systems. 6. Monitor OpenSearch logs for unusual query patterns targeting aliased indices such as `.kibana`. 7. Conduct a post-patch verification to ensure that DLS/FLS policies are correctly enforced on aliased indices. 8. Educate security and DevOps teams about the implications of alias usage in OpenSearch and the importance of keeping security plugins up to date.