2094515 – (CVE-2022-23712, ESA-2022-07) CVE-2022-23712 elasticsearch: DoS via a specifically formatted network request

Bug 2094515 (CVE-2022-23712, ESA-2022-07) - CVE-2022-23712 elasticsearch: DoS via a specifically formatted network request

Summary: CVE-2022-23712 elasticsearch: DoS via a specifically formatted network request

Keywords:
Status:	NEW
Alias:	CVE-2022-23712, ESA-2022-07
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2102998 2095202 2095203 2100880 2102999 2103000
Blocks:	2094521
TreeView+	depends on / blocked

Reported:	2022-06-07 18:52 UTC by Guilherme de Almeida Suckevicz
Modified:	2024-05-03 18:49 UTC (History)
CC List:	92 users (show)
Fixed In Version:	elasticsearch 8.2.1
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Elasticsearch. This flaw allows an unauthenticated attacker to forcibly shut down an Elasticsearch node with a specifically formatted network request, affecting system availability.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2022-06-07 18:52:47 UTC

A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request.

References:
https://www.elastic.co/community/security/
https://discuss.elastic.co/t/elastic-stack-7-17-4-and-8-2-1-security-update/305530

Comment 1 Petr Pisar 2022-06-08 07:00:16 UTC

Guilherme, I noticed you added plenty of contacts to this bug report. If this is because you intend to use this bug to handle all implementation of ECDSA which do not check R a S parameters of ECDSA for 0, then remove "elasticsearch" from a summary of this bug report. Otherwise, I cannot see a reason why perl-devel should be notified about a bug in a Java library.

Comment 2 Petr Pisar 2022-06-08 07:07:27 UTC

As far as I know, the only implementation of ECDSA in Perl packages is perl-CryptX (it bundles a developmental version of libtomcrypt). Other Perl packages should transitively use OpenSSL or perl-CryptX.

Comment 12 Sandipan Roy 2022-07-01 06:54:52 UTC

Created cadvisor tracking bugs for this issue:

Affects: fedora-all [bug 2102999]


Created elasticdump tracking bugs for this issue:

Affects: epel-all [bug 2102998]


Created origin tracking bugs for this issue:

Affects: fedora-all [bug 2103000]

Note You need to log in before you can comment on or make changes to this bug.

admiller
aileenc
alazarot
anpicker
anstephe
aos-bugs
aos-network-edge-staff
asoldano
avibelli
bbaranow
bgeorges
bmaxwell
brian.stansberry
caswilli
cdewolf
chazlett
clement.escoffier
dandread
darran.lofthouse
dffrench
dhalasz
dkreling
dkuc
dosoudil
eglynn
emingora
eparis
ewolinet
extras-orphan
fjansen
fjuma
fmongiar
gmalinko
go-sig
grafana-maint
gsmet
gzaronik
ibek
iweiss
janstey
jcajka
jchaloup
jjoyce
jkurik
jnethert
jochrist
jrokos
jschatte
jwon
kaycoth
kverlaen
lgao
lmadsen
lmeyer
lthon
mburns
mgarciac
mnovotny
mosmerov
mrunge
msochure
msvehla
nathans
ngough
nobody
nwallace
openshift-release-oversight
pantinor
pdelbell
peholase
pgallagh
piotr1212
pjindal
pmackay
probinso
rareddy
rfreiman
rgodfrey
rguimara
rphillips
rruss
rstancel
rsvoboda
sbiarozk
sdouglas
smaestri
spasquie
spower
sthirugn
tom.jenkinson
vkrizan
vmugicag