CVE-2024-11994

Vulnerability

CVE-2024-11994 describes an information disclosure flaw in Elastic APM Server, where error logs can contain portions of the document body from a partially failed bulk index request [1]. This occurs because the logging mechanism inadvertently captures and records the partial content of documents that failed during bulk indexing operations, rather than sanitizing or omitting that data.

Exploitation

An attacker with low privileges and adjacent network access can exploit this vulnerability without user interaction, as the CVSS vector indicates (AV:A/AC:L/PR:L/UI:N) [1]. The attack surface involves triggering partial failures in bulk index requests to the APM Server, causing the server to log fragments of the request body. No additional authentication is required beyond the low-privilege access needed to send such requests.

Impact

Successful exploitation results in the disclosure of sensitive information contained within the document body, such as personal data, credentials, or other confidential fields, which are written into APM Server error logs [1]. This violates confidentiality and could lead to further compromise if logs are accessible to unauthorized parties.

Mitigation

Elastic has resolved the issue in APM Server version 8.16.1 [1]. Users running versions between 8.0.0 and 8.16.0 should upgrade to 8.16.1 or later. No workarounds are provided; upgrading is the recommended mitigation.