Bug 1216733 (CVE-2023-31418)

Summary: VUL-0: CVE-2023-31418: elasticsearch: unauthenticated user could force an Elasticsearch node to exit with an OutOfMemory error
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: cloud-bugs, fmccarthy, robert.simai, thomas.leroy
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/383213/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-31418:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-10-31 08:59:22 UTC 
An issue has been identified with how Elasticsearch handled incoming requests on
the HTTP layer. An unauthenticated user could force an Elasticsearch node to
exit with an OutOfMemory error by sending a moderate number of malformed HTTP
requests. The issue was identified by Elastic Engineering and we have no
indication that the issue is known or that it is being exploited in the wild.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-31418
Comment 1 Thomas Leroy 2023-11-03 10:00:37 UTC 
The vuln is actually in the opensearch security plugin:

https://github.com/opensearch-project/security/security/advisories/GHSA-8wx3-324g-w4qq

I don't think this code is embedded in our elasticsearch packages 
(in SUSE:SLE-12-SP3:Update:Products:Cloud8:Update and SUSE:SLE-12-SP4:Update:Products:Cloud9:Update). Maintainers, could you please confirm it?
Comment 2 Fergal Mc Carthy 2023-11-03 16:49:02 UTC 
From the perspective of SOC 8 & 9 CLM, ElasticSearch is deployed as part of an internal workflow that is not exposed to customer access, so I don't believe that those products are directly impacted by this issue.

Additionally I did some digging related to the information that Thomas Leroy referenced, and when I look inside the ElasticSearch version 2.4.2 sources that our packages for SOC 8 & 9 are based on, I don't see any evidence of a search security plugin. Note that this is a very old version of ElasticSearch, and appears to pre-date that plugin.

I also couldn't find any specific code submission with a reference to this issue in the opensearch-project/security changes between 2.10 and 2.11 (one of the versions that the advisory says the issue is fixed in) which makes it hard to do any sort of code pattern search in the source code to see if a version of the problem may have existed in the 2.4.2 code base.
Comment 4 Thomas Leroy 2023-11-06 08:07:04 UTC 
Many thanks Fergal for this precision. I consider SOC versions not affected. Closing