After bumping the docker image version to elasticsearch:7.16.2 in GKE, whenever I start elasticsearch pod, it immediately triggers a security alert Added Library Loaded
Added_Library_Fullpath: /tmp/twIW2T (deleted)
description: A library that was not part of the original container image was loaded. If an added library is loaded, this is a possible sign that an attacker has control of the workload and they are executing arbitrary code.
Process_Binary_Fullpath: /usr/share/elasticsearch/jdk/bin/java
This issue doesn't occur with 7.14.0 image version. Which I'm upgrading from.
I am not as familiar with this exact error but I have worked with other containerization technology example Pivotal Cloud Foundry that would raise to his type of error because the expectation / policy is that container image is immutable and thus any changes / updates to the container would violate the security policy.
It may be something else instead.
@DavidTurner is correct please follow up using the procedure on the page he provided.
The fact that a library was created and dynamically loaded isn't surprising, Elasticsearch has used JNA for many years which does this (perhaps not always, but it's always been a possibility). What's surprising is the filename: JNA's filenames typically contain the string jna and I thought libffi would include the string ffi too, but @henrist is right that it doesn't always.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.