Impact of CVE-2024-23450 affecting Elasticsearch on Enterprise Vault, Compliance Accelerator and Discovery Accelerator
Description
CVE-2024-23450: Elasticsearch Uncontrolled Resource Consumption vulnerability
A flaw was discovered in Elasticsearch, where processing a document in a deeply nested pipeline on an ingest node could cause the Elasticsearch node to crash.
https://nvd.nist.gov/vuln/detail/cve-2024-23450
Affected Versions
- Elasticsearch versions on or after 7.0.0 and before 7.17.19
- Elasticsearch versions on or after 8.0.0 and before 8.13.0
CVSS 3.x Severity and Vector Strings
- NIST: NVD
- Base Score: 7.5 HIGH
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- CNA: Elastic
- Base Score: 4.9 MEDIUM
- Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Impact
The back-end infrastructure of Elasticsearch in context with Enterprise Vault is not impacted by this vulnerability, as Enterprise Vault does not use the approach/method mentioned in the vulnerability statement.Certain components of Elasticsearch may be present on the Compliance Accelerator/Discovery Accelerator servers due to the prerequisite of needing the Enterprise Vault API/binaries installed. However, Compliance Accelerator and Discovery Accelerator do not use Elasticsearch.
Mitigation
As Enterprise Vault is not affected, no mitigation or resolution is required.
As Compliance Accelerator and Discovery Accelerator are not affected, no mitigation or resolution is required.
Questions
For questions or problems regarding these vulnerabilities please contact Technical Support.
Disclaimer
THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC AND/OR ARCTERA US LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.