CVE-2024-23450: Elasticsearch Uncontrolled Resource Consumption vulnerability

A flaw was discovered in Elasticsearch, where processing a document in a deeply nested pipeline on an ingest node could cause the Elasticsearch node to crash.
https://nvd.nist.gov/vuln/detail/cve-2024-23450

Affected Versions

- Elasticsearch versions on or after 7.0.0 and before 7.17.19
- Elasticsearch versions on or after 8.0.0 and before 8.13.0

CVSS 3.x Severity and Vector Strings

- NIST: NVD
- Base Score: 7.5 HIGH
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- CNA: Elastic
- Base Score: 4.9 MEDIUM
- Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Impact

The back-end infrastructure of Elasticsearch in context with Enterprise Vault is not impacted by this vulnerability, as Enterprise Vault does not use the approach/method mentioned in the vulnerability statement.Certain components of Elasticsearch may be present on the Compliance Accelerator/Discovery Accelerator servers due to the prerequisite of needing the Enterprise Vault API/binaries installed. However, Compliance Accelerator and Discovery Accelerator do not use Elasticsearch.

Mitigation

As Enterprise Vault is not affected, no mitigation or resolution is required.
As Compliance Accelerator and Discovery Accelerator are not affected, no mitigation or resolution is required.

Questions

For questions or problems regarding these vulnerabilities please contact Technical Support.

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC AND/OR ARCTERA US LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.