Scalingo is aware of the recently reported issue regarding Elasticsearch (CVE-2023-31418).

This vulnerability would allow an unauthenticated user to bring down an Elasticsearch instance by sending malformed HTTP requests.

It cannot be exploited as-is on Scalingo, because we setup our Elasticsearch clusters with a reverse proxy which does not allow unauthenticated calls.

Still, an authenticated user could bring down a server by sending massive amounts of requests with bogus data. Don’t do this !

As we can’t provide any updated versions due to a licensing change by Elastic, we won’t be able to provide a patched version.

Action required

None

Scalingo PaaS

Scalingo Platform-As-A-Service is not impacted.

Scalingo DBaaS addons

Scalingo Database-As-A-Service Elasticsearch is impacted, but the vulnerability is mitigated by our authentication policy.

Other Scalingo addons and services

Other Scalingo Platform addons and features are not impacted.

Changelog

2023-10-18 : Initial version