CVE-2022-23712 – CVE-2022-23712 is a Denial of Service vulnerabi... (How to Fix)

Q: What is the severity of CVE-2022-23712?

CVE-2022-23712 has a CVSS score of 7.5 (HIGH). CVE-2022-23712 is a Denial of Service vulnerability in Elasticsearch where an unauthenticated attacker can send a specially crafted network request to forcibly shut down an Elasticsearch node. This affects Elasticsearch deployments that are exposed to untrusted networks, potentially causing service disruption.

📋 TL;DR

CVE-2022-23712 is a Denial of Service vulnerability in Elasticsearch where an unauthenticated attacker can send a specially crafted network request to forcibly shut down an Elasticsearch node. This affects Elasticsearch deployments that are exposed to untrusted networks, potentially causing service disruption.

💻 Affected Systems

Products:

Elasticsearch

Versions: All versions before 7.17.4 and 8.2.1

Operating Systems: All operating systems running Elasticsearch

Default Config Vulnerable: ⚠️ Yes

Notes: Any Elasticsearch instance with network access to port 9200 (or configured HTTP port) is vulnerable.

📦 What is this software?

Elasticsearch by Elastic

View all CVEs affecting Elasticsearch →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete cluster outage if multiple nodes are targeted, leading to data unavailability and service disruption.

🟠

Likely Case

Individual node shutdown causing temporary service degradation until the node restarts.

🟢

If Mitigated

Minimal impact if proper network segmentation and access controls prevent untrusted access to Elasticsearch ports.

🌐 Internet-Facing: HIGH - Internet-facing Elasticsearch instances are directly vulnerable to unauthenticated attacks.

🏢 Internal Only: MEDIUM - Internal systems could be vulnerable to insider threats or compromised internal hosts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires sending a specifically formatted request to the HTTP API, which is relatively simple to craft.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.17.4 and 8.2.1

Vendor Advisory: https://discuss.elastic.co/t/elastic-stack-7-17-4-and-8-2-1-security-update/305530

Restart Required: Yes

Instructions:

1. Download Elasticsearch 7.17.4 or 8.2.1 from elastic.co. 2. Stop the Elasticsearch service. 3. Backup configuration and data. 4. Install the new version. 5. Restart the service.

🔧 Temporary Workarounds

Network Access Control

linux

Restrict network access to Elasticsearch HTTP port (default 9200) to trusted sources only.

# Example iptables rule: iptables -A INPUT -p tcp --dport 9200 -s trusted_ip -j ACCEPT
# Then: iptables -A INPUT -p tcp --dport 9200 -j DROP

Reverse Proxy Filtering

all

Place Elasticsearch behind a reverse proxy that filters malicious requests.

🧯 If You Can't Patch

Implement strict network segmentation to isolate Elasticsearch from untrusted networks.
Deploy intrusion detection/prevention systems to monitor for DoS attack patterns.

🔍 How to Verify

Check if Vulnerable:

Check Elasticsearch version via HTTP API: curl -X GET 'http://localhost:9200/' and compare version number.

Check Version:

curl -X GET 'http://localhost:9200/' | grep number

Verify Fix Applied:

After patching, verify version shows 7.17.4 or 8.2.1 or higher via same API call.

📡 Detection & Monitoring

Log Indicators:

Unexpected node shutdown events in Elasticsearch logs
Error messages related to malformed requests

Network Indicators:

Unusual traffic patterns to port 9200 from untrusted sources
Specific request patterns triggering the vulnerability

SIEM Query:

source="elasticsearch.logs" AND "shutdown" AND "error"

📊 Metadata

CVE ID: CVE-2022-23712

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-754

Published: June 6, 2022

Last Updated: November 21, 2024

🔗 References

https://discuss.elastic.co/t/elastic-stack-7-17-4-and-8-2-1-security-update/305530 Release Notes,Vendor Advisory
https://security.netapp.com/advisory/ntap-20220707-0010/ Third Party Advisory
https://www.elastic.co/community/security/ Vendor Advisory
https://discuss.elastic.co/t/elastic-stack-7-17-4-and-8-2-1-security-update/305530 Release Notes,Vendor Advisory
https://security.netapp.com/advisory/ntap-20220707-0010/ Third Party Advisory
https://www.elastic.co/community/security/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-23712, you might also want to check these: