SSB-2023-003 - Elasticsearch
|CVSS score v3.1|
Scalingo is aware of the recently reported issue regarding Elasticsearch (CVE-2023-31418).
This vulnerability would allow an unauthenticated user to bring down an Elasticsearch instance by sending malformed HTTP requests.
It cannot be exploited as-is on Scalingo, because we setup our Elasticsearch clusters with a reverse proxy which does not allow unauthenticated calls.
Still, an authenticated user could bring down a server by sending massive amounts of requests with bogus data. Don’t do this !
As we can’t provide any updated versions due to a licensing change by Elastic, we won’t be able to provide a patched version.
Scalingo Platform-As-A-Service is not impacted.
Scalingo DBaaS addons
Scalingo Database-As-A-Service Elasticsearch is impacted, but the vulnerability is mitigated by our authentication policy.
Other Scalingo addons and services
Other Scalingo Platform addons and features are not impacted.
2023-10-18 : Initial version