Elastic Metricbeat Excessive Memory Allocation Vulnerability in Prometheus Remote Write Handler Leading to Denial of Service

A denial-of-service vulnerability has been identified in Elastic Metricbeat versions 8.0.0 prior to 8.19.12 and 9.0.0 prior to 9.2.4. The issue arises in the Prometheus remote_write HTTP handler, where memory allocation can be manipulated with excessively large size values. This flaw can cause excessive memory consumption, leading to process termination. The vulnerability only affects users who have enabled the Prometheus remote_write module, which is not activated by default.

Impact

Exploitation of this vulnerability causes the Metricbeat process to consume excessive memory, leading to crashes or termination. This behavior can be observed in system logs as 'out of memory' messages, and in kernel logs or container orchestration logs targeting the Metricbeat process. Network connections from unexpected or unauthorized source IP addresses to the remote_write endpoint port may also indicate exploitation.

Remediation

Users can upgrade to Metricbeat versions 8.19.13 or 9.2.5 to address this vulnerability. For those unable to upgrade, the Prometheus remote_write module can be disabled or network access to the remote_write endpoint can be restricted to trusted Prometheus server IP addresses.