Security update associated with CVE-2023-31418 has confusing wording

According to this security update: Elasticsearch 8.9.0, 7.17.13 Security Update

"Elastic Cloud Enterprise up to versions 2.13.3 and 3.6.0" -- does this mean that Elastic Cloud Enterprise is vulnerable all versions prior to 3.6.0 or that JUST 3.6.0 is also vulnerable in addition to 2.13.3 and prior, and should be updated to 3.6.1? Please advise.

I see what you mean, the wording appears to be ambiguous to me too. However the mitigation describes how to react to this advisory:

Users should upgrade to Elastic Cloud Enterprise version 2.13.4 and 3.6.1

I'd suggest opening a support case if you need further information. Unfortunately we can't generally discuss security concerns in public forums much further than this. I'll try and find someone to clarify the advisory.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.