Elastic Cloud Enterprise (ECE) 2.13.3, 3.3.0 Security Update

ECE Denial of Service (DoS) issue (ESA-2023-09)

A denial of service vulnerability was discovered in ECE that could lead to the ECE Admin API server becoming unavailable if a maliciously crafted JWT is supplied. This is due to the use of a transitive dependency json-smart which parses nested arrays in an unsafe way. Deployments that run on ECE are unaffected.

Affected Versions:

ECE Versions before 2.13.3 and before 3.3.0

Solutions and Mitigations:

The dependency has been updated which resolves the issue in versions 2.13.3 and 3.3.0

CVSSv3: 7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID: CVE-2023-1370