CVE-2024-43709
Published: 21 January 2025
Summary
CVE-2024-43709 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Elastic Elasticsearch. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 23.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2024-43709 is a vulnerability in Elasticsearch involving an allocation of resources without limits or throttling, which can lead to an OutOfMemoryError exception and subsequent crash. The issue is triggered by a specially crafted query that uses an SQL function. It is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Successful exploitation results in a denial-of-service condition by crashing the Elasticsearch instance due to the high availability impact.
Elastic's security advisory ESA-2024-25 addresses the vulnerability with patches released in Elasticsearch versions 7.17.21 and 8.13.3. NetApp has also published advisory NTAP-20250221-0007 detailing the issue and mitigation steps for affected products.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-0176
Vulnerability details
An allocation of resources without limits or throttling in Elasticsearch can lead to an OutOfMemoryError exception resulting in a crash via a specially crafted query using an SQL function.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct mapping to application/system exploitation for DoS via resource exhaustion and crash from crafted query.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-5 directly protects against denial-of-service attacks, including memory exhaustion from unbounded resource allocation triggered by specially crafted SQL queries in Elasticsearch.
SC-6 mandates controls to protect critical system resources like memory from degradation or loss due to excessive allocations without limits or throttling.
SI-2 ensures timely flaw remediation through patching, directly addressing the vulnerability fixed in Elasticsearch versions 7.17.21 and 8.13.3.