BIT-elasticsearch-2021-22144
uncontrolled recursion vulnerability in elasticsearch (Maven)
What is BIT-elasticsearch-2021-22144 About?
This vulnerability in Elasticsearch's Grok parser leads to an uncontrolled recursion that can result in a denial of service attack. A user able to submit arbitrary queries can craft a malicious Grok query to crash an Elasticsearch node. Exploiting this is straightforward for authenticated users.
Affected Software
- org.elasticsearch:elasticsearch
- <6.8.17
- >7.0.0-alpha1, <7.13.3
Technical Details
The vulnerability exists in Elasticsearch versions before 7.13.3 and 6.8.17, specifically within the Grok parser. Grok is used to parse unstructured log data into structured and queryable data. The issue is an 'uncontrolled recursion' vulnerability. This means that a specially crafted Grok query, submitted by a user capable of sending arbitrary queries, can cause the parser to enter an infinite or extremely deep recursive loop. This recursive processing exhausts system resources, typically stack memory, leading to a stack overflow or similar crash conditions for the Elasticsearch node. The attack vector is the input Grok pattern which, when processed, triggers this excessive recursion due to a logical flaw in how the pattern is evaluated or matched against data. This ultimately leads to a denial of service for the affected node.
What is the Impact of BIT-elasticsearch-2021-22144?
Successful exploitation may allow attackers to trigger a denial of service (DoS) on an Elasticsearch node, making data unavailable to legitimate users and potentially impacting data integrity.
What is the Exploitability of BIT-elasticsearch-2021-22144?
Exploitation requires that an attacker has the ability to submit arbitrary queries to Elasticsearch, implying a certain level of authentication or existing access. The complexity level is low once an attacker knows the specific malicious Grok query pattern that triggers the recursion. While it doesn't require elevated privileges, the ability to submit queries is a prerequisite. This is typically a remote vulnerability, but could also be local if an attacker has system access to interact with Elasticsearch. The presence of a user interface or API allowing arbitrary Grok query submission significantly increases the likelihood of exploitation. No special conditions beyond query submission are required, making it a direct DoS vector for an authorized user.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-elasticsearch-2021-22144?
Available Upgrade Options
- org.elasticsearch:elasticsearch
- <6.8.17 → Upgrade to 6.8.17
- org.elasticsearch:elasticsearch
- >7.0.0-alpha1, <7.13.3 → Upgrade to 7.13.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://discuss.elastic.co/t/elasticsearch-7-13-3-and-6-8-17-security-update/278100
- https://discuss.elastic.co/t/elasticsearch-7-13-3-and-6-8-17-security-update/278100
- https://security.netapp.com/advisory/ntap-20210827-0006/
- https://nvd.nist.gov/vuln/detail/CVE-2021-22144
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://security.netapp.com/advisory/ntap-20210827-0006
- https://osv.dev/vulnerability/GHSA-3393-hvrj-w7v3
What are Similar Vulnerabilities to BIT-elasticsearch-2021-22144?
Similar Vulnerabilities: CVE-2020-13936 , CVE-2018-8012 , CVE-2017-0199 , CVE-2019-17558
