APM Server - Uncontrolled Resource Consumption through HTTP/2 endpoints - CVE-2023-45288 (ESA-2024-09)
On April 4, 2024, the Go Project announced CVE-2023-45288, which can lead to CPU exhaustion as an attacker can cause an HTTP/2 endpoint to read arbitrary amounts of header data.
In an on-prem deployment APM Server has been found vulnerable if exposed directly to HTTP traffic.
This vulnerability cannot be exploited on Elastic Cloud because the service is behind the Elastic Cloud proxy.
Affected Versions:
- APM Server versions up to, but not including, 8.14.0
- APM Server versions up to, but not including, 7.17.21
Solutions and Mitigations:
Users should upgrade to version 8.14.0
Severity: CVSSv3.1 5.3 (Medium) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE ID: CVE-2023-45288