2293500 – (CVE-2023-46674) CVE-2023-46674 elasticsearch-hadoop: unsafe deserialization of java objects

Bug 2293500 (CVE-2023-46674) - CVE-2023-46674 elasticsearch-hadoop: unsafe deserialization of java objects

Summary: CVE-2023-46674 elasticsearch-hadoop: unsafe deserialization of java objects

Keywords:
Status:	NEW
Alias:	CVE-2023-46674
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2293501
TreeView+	depends on / blocked

Reported:	2024-06-20 20:45 UTC by Robb Gatica
Modified:	2025-03-17 23:44 UTC (History)
CC List:	1 user (show)
Fixed In Version:	elasticsearch-hadoop 7.17.11, elasticsearch-hadoop 8.9.0
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Robb Gatica 2024-06-20 20:45:02 UTC

Elasticsearch-hadoop Unsafe Deserialization (ESA-2023-28)

An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration properties that could have been modified by authenticated users. Elastic would like to thank Yakov Shafranovich, with Amazon Web Services for reporting this issue.

Affected Versions:
Elasticsearch-hadoop versions on all versions before 7.17.11
Elasticsearch-hadoop versions on or after 8.0.0 and before 8.9.0

Solutions and Mitigations:
The issue is resolved in versions 7.17.11 and 8.9.0.

Reference:
https://discuss.elastic.co/t/elasticsearch-hadoop-7-17-11-8-9-0-security-update-esa-2023-28/348663

Note You need to log in before you can comment on or make changes to this bug.