Elastic Kibana AI Inference Anonymization Engine Denial-of-Service Vulnerability via Regular Expression Exponential Blowup

A denial-of-service vulnerability has been identified in the AI Inference Anonymization Engine of Elastic Kibana. This issue arises from inefficient regular expression complexity, which can lead to exponential blowup in regex processing, causing a denial-of-service condition. The vulnerability affects Kibana versions 8.0.0 through 8.19.10 and 9.0.0 through 9.2.4. The problem occurs when the Elastic AI Assistant for Security is enabled with custom anonymization rules, allowing the vulnerable regex processing pipeline to execute.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by leading to excessive resource consumption, potentially causing the application to become unresponsive or unavailable.

Remediation

Users can upgrade to Kibana versions 8.19.11 or 9.2.5 to address this vulnerability. For users unable to upgrade who have the AI Assistant enabled with custom anonymization rules, it is recommended to disable all custom anonymization rules in the Security AI settings.