Discuss: Security Vulnerabilities: ESA-2023-14 - CVE-2023-31419

devkgk · December 7, 2023, 1:07am

Hello, everybody.
According to the community's safety announcement:
" Elasticsearch StackOverflow vulnerability (ESA-2023-14)

A flaw was discovered in Elasticsearch, affecting the _search API that allowed a specially crafted query string to cause a Stack Overflow and ultimately a Denial of Service.

Affected Versions:

Elasticsearch versions from 7.0.0 to 7.17.12 and from 8.0.0 to 8.9.0

Solutions and Mitigations:

The issue is resolved in Elasticsearch 7.17.13 and 8.9.1

CVSSv3: 6.5 (Medium) - AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2023-31419"

Currently we are on OSS version of Elasticsearch 7.10.2. We are not in a position to upgrade to newer version of Elasticsearch. What could be our option here?

We do not know which issue is associated with this security update or which PR fixed the issue.

Can someone help?

leandrojmp · December 7, 2023, 1:33am

Unfortunately I don't there is much to do in this case, 7.10.2 is not supported anymore and will not receive any fix.

I don't think this information is made public by Elastic, but only someone from Elastic can confirm that.

DavidTurner · December 7, 2023, 8:32am

That's correct. We can't discuss the details of security vulnerabilities in public, sorry.

This version has been EOL (and therefore ineligible for security fixes) for years. I'd strongly recommend you re-evaluate your position on upgrades.

system · January 4, 2024, 8:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.