BIT-elasticsearch-2024-52979
Uncontrolled Resource Consumption vulnerability in elasticsearch (Maven)
What is BIT-elasticsearch-2024-52979 About?
This vulnerability is an Uncontrolled Resource Consumption flaw in Elasticsearch, leading to a Denial of Service (DoS). It allows an attacker to create specially crafted search templates with Mustache functions that can crash an Elasticsearch node. The impact is a disruption of service, and exploitation requires crafting specific templated queries.
Affected Software
- org.elasticsearch:elasticsearch
- <7.17.25
- >8.0.0-alpha1, <8.16.0
Technical Details
The vulnerability lies within Elasticsearch's evaluation of search templates, specifically when these templates incorporate Mustache functions. An attacker can craft a search template containing complex or recursive Mustache functions, or functions that lead to excessive computational overhead. When Elasticsearch attempts to evaluate such a malformed template, the uncontrolled resource consumption, likely CPU or memory, can overwhelm the node. This resource exhaustion ultimately causes the Elasticsearch node to crash, leading to a denial of service for the part of the system relying on that node. The attack vector is through the submission of these malicious search templates.
What is the Impact of BIT-elasticsearch-2024-52979?
Successful exploitation may allow attackers to render services unavailable, cause critical system failures, and disrupt the normal operation of Elasticsearch nodes.
What is the Exploitability of BIT-elasticsearch-2024-52979?
Exploitation requires an attacker to submit specifically crafted search templates to an Elasticsearch instance. The complexity of crafting such a template would depend on the intricacies of Mustache functions and Elasticsearch's template processing logic. Authentication requirements would depend on whether search template submission is restricted; if authenticated requests are needed, the attacker must have legitimate user credentials. Privilege requirements would likely be those associated with creating or updating search templates. This is a remote exploitation scenario. The primary constraint is the attacker's ability to send requests that trigger the evaluation of custom search templates. The likelihood of exploitation increases if the Elasticsearch instance is publicly accessible and allows unauthenticated or low-privilege users to submit search templates.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-elasticsearch-2024-52979?
Available Upgrade Options
- org.elasticsearch:elasticsearch
- <7.17.25 → Upgrade to 7.17.25
- org.elasticsearch:elasticsearch
- >8.0.0-alpha1, <8.16.0 → Upgrade to 8.16.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/elastic/elasticsearch/pull/114002
- https://nvd.nist.gov/vuln/detail/CVE-2024-52979
- https://github.com/elastic/elasticsearch
- https://discuss.elastic.co/t/elasticsearch-7-17-25-and-8-16-0-security-update-esa-2024-40/377709
- https://github.com/elastic/elasticsearch/commit/cbde7f456d7ccd98556302fccf3238bb4557fc91
- https://osv.dev/vulnerability/GHSA-mm3m-5497-xggg
- https://discuss.elastic.co/t/elasticsearch-7-17-25-and-8-16-0-security-update-esa-2024-40/377709
- https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf
What are Similar Vulnerabilities to BIT-elasticsearch-2024-52979?
Similar Vulnerabilities: CVE-2023-22809 , CVE-2022-38686 , CVE-2021-41071 , CVE-2021-36770 , CVE-2021-36729
