Elastic Cloud Enterprise 3.7.1 Security Update (ESA-2024-08)

Elastic Cloud Enterprise - Uncontrolled Resource Consumption through HTTP/2 endpoints - CVE-2023-45288 (ESA-2024-08)

On April 4, 2024, the Go Project announced CVE-2023-45288, which can lead to CPU exhaustion as an attacker can cause an HTTP/2 endpoint to read arbitrary amounts of header data.

In the case of Elastic Cloud Enterprise (ECE) it enables attackers to significantly increase the CPU usage of the proxy component within Elastic Cloud Enterprise. This heightened CPU usage can lead to a noticeable slowdown in the system's ability to respond to requests for provisioned deployments, and in severe cases, it may prevent the proxy from responding to such requests entirely.

Affected Versions:
Elastic Cloud Enterprise versions up to, but not including, 3.7.1

Solutions and Mitigations:
Users should upgrade to version 3.7.1

Severity: 5.3 (Medium) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE ID: CVE-2023-45288