CVE-2024-52979: Elasticsearch Uncontrolled Resource Consumption vulnerability

A flaw was discovered in Elasticsearch, where Uncontrolled Resource Consumption in Elasticsearch while evaluating specifically crafted search templates with Mustache functions can lead to Denial of Service by causing the Elasticsearch node to crash.
https://nvd.nist.gov/vuln/detail/CVE-2024-52979

Affected Versions

- Elasticsearch versions prior to 7.17.25.
- Elasticsearch versions prior to 8.16.0.

CVSS 3.x Severity and Vector Strings

- NIST: NVD
- Base Score: N/A
- Vector: NVD assessment not yet provided.
- CNA: Elastic
- Base Score: 6.5 MEDIUM
- Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Impact

Mustache is a logic-less template language used by Elasticsearch to allow users to define templates with variables and limited logic (like conditionals and loops). Mustache functions refer to the use of the Mustache templating language to create dynamic search templates. CVE-2024-52979 identified an Uncontrolled Resource Consumption issue when Elasticsearch evaluates such user-defined search templates using Mustache functions.

The back-end infrastructure of Elasticsearch in the context of Enterprise Vault is not impacted by this vulnerability, as Enterprise Vault does not use nor expose Mustache function-based search templates. Search parameters are provided in a defined list by applications such as Enterprise Vault Search, Compliance Accelerator/Surveillance and Discovery Accelerator, and are provided via the user interface, not via any scripting languages.

While an impacted version of Elasticsearch may be present on the EV servers, and on the Compliance Accelerator/Discovery Accelerator servers due to the prerequisite of needing the Enterprise Vault API/binaries installed, Enterprise Vault, Compliance Accelerator and Discovery Accelerator do not use the affected module or workflow. Therefore the vulnerability is not exposed and can not be exploited.

Mitigation

As Enterprise Vault is not affected, no mitigation or resolution is required.
As Compliance Accelerator and Discovery Accelerator are not affected, no mitigation or resolution is required.

Note - It is NOT recommended to attempt upgrading the Elasticsearch component independently as this can cause unexpected product behaviour in Enterprise Vault, Compliance Accelerator and Discovery Accelerator.

Questions

For questions or problems regarding these vulnerabilities please contact Technical Support (https://www.veritas.com/support) 

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC AND/OR ARCTERA US LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.