Assess CVE-2023-44487 for Search Guard

jgarcia · October 25, 2023, 11:11am

Hi Team

Search Guard plugin contains references to Netty codec which has been reported as affected by CVE-2023-44487

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

I’m trying to search additional information for this security vulnerability, but it is really hard as it affects overal the HTTP/2 protocol.

Can you confirm if the Search Guard plugin is affected and is so, on which version it was addressed?

Thanks in advance.

Best regards.

nils · November 10, 2023, 11:32am

Elasticsearch does not support HTTP/2 at the moment (cf https://github.com/elastic/elasticsearch/issues/10981). Thus, the code in question is not actually used, so there should be no impact from that issue.

By the way, Netty is an indirect dependency that comes via the Elasticsearch HTTP transport component. Thus, Elastic needs to update that component to update the Netty dependency.

Topic		Replies	Views
Internal or shard requests not allowed from a non-server node for transport type netty Search Guard	1	370	April 19, 2018
Fixed curl, still getting Search Guard not initialized (SG11) Search Guard	6	1544	February 17, 2020
Internal or shard requests not allowed from a non-server node for transport type netty. Search Guard	11	866	May 24, 2017
I found the warning message of SearchGuardHttpServerTransport in elasticsearch.log Search Guard	1	509	March 13, 2020
cluster requests stopped working after updating to v11 Search Guard	1	349	February 19, 2017

Assess CVE-2023-44487 for Search Guard

Related Topics