Elasticsearch 8.8.2, 7.17.11 Security Update

Elasticsearch Denial of Service (DoS) issue (ESA-2023-10)

This issue only affects users that have at least one OpenID Connect authentication realm or at least one JWT authentication realm configured.

A denial of service vulnerability was discovered in Elasticsearch that could lead to the service becoming unavailable if a maliciously crafted JWT is supplied. This is due to the use of a transitive dependency json-smart which parses nested arrays in an unsafe way.

Affected Versions:

Elasticsearch Versions after 7.2.0 and before 7.17.11, and versions after 8.0.0 and before 8.8.2

Solutions and Mitigations:

The issue has been resolved in versions 8.8.2 and 7.17.11

CVSSv3: 7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID: CVE-2023-1370

1 Like