Assess CVE-2023-44487 for Search Guard

Hi Team

Search Guard plugin contains references to Netty codec which has been reported as affected by CVE-2023-44487

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

I’m trying to search additional information for this security vulnerability, but it is really hard as it affects overal the HTTP/2 protocol.

Can you confirm if the Search Guard plugin is affected and is so, on which version it was addressed?

Thanks in advance.

Best regards.

Elasticsearch does not support HTTP/2 at the moment (cf Thus, the code in question is not actually used, so there should be no impact from that issue.

By the way, Netty is an indirect dependency that comes via the Elasticsearch HTTP transport component. Thus, Elastic needs to update that component to update the Netty dependency.