Packetbeat is a data shipping and logging tool used by Elastic to collect network traffic. It's widely used in the Elasticsearch ecosystem for monitoring and analyzing network packets. This vulnerability allows attackers to exploit a buffer overflow in Packetbeat, potentially crashing the application or causing significant resource exhaustion via a single crafted UDP packet.
You're affected if you use Packetbeat version 7.x (all versions) or Elastic Agent version 8.x (versions from 8.0.0 up to and including 8.19.8), or Elastic Stack version 9.x (versions from 9.0.0 up to and including 9.1.8 and 9.2.2). Check with: udp -x -n 6 -s 65536 -c 1 -p 514 (a basic UDP packet capture command).
Note that this is a remote vulnerability, requiring no authentication or user interaction, making it accessible to script kiddie-level attackers.
Upgrade to Packetbeat version 8.19.9, 9.1.9, or 9.2.3.
- For Users that Cannot Upgrade:
- Disable memcached collection in the Network Packet Capture integration if you're using Elastic Agent and want other network collections to continue.