Bitbucket and Elastic security question!

Hi everyone,
Your advice would be very much appreciated!

Is Elasticsearch version 6.8.22 or Elastic 7.16.2 considered vulnerable? Do we need to perform any manual mitigation?

Also, having the Elasticsearch version 6.5.3 + applying the flag enough? Or do we need to take additional steps?

I am aware that there is the latest version which is completely safe 6.8.23 and 7.16.3 but we use Bitbucket and need the Elasticsearch version to be supported for that.

Many thanks ahead,
Simha

Welcome to our community! :smiley:

Vulnerable to what exactly?

Thank you :slight_smile:

  1. Is Elasticsearch 6.5.3 is vulnerable to CVE-2021-45046, CVE-2021-44228 ? Any other vulnerabilities we should be aware of? Is applying the flag mitigation while we have Jave build 1.8.0_231-b11 is the complete fix?

  2. Elasticsearch versions 6.8.22 & 7.16.2 were addressed with both VCE's mentioned or are there any additional we should be aware of? Is having jar version 2.17.0 is the complete solution for these vulnerabilities?

Introducing Elasticsearch 7.16.2 and 6.8.22

  1. What is the difference between jar 2.17.0 and jar 2.17.1 ?

  2. What are the fixes that were delivered in Elasticsearch 6.8.23 & 7.16.3

I am asking as we keep being asked by the security team to perform the manual mitigation in the current 5.6.3 version and remove the vulnerable class, while according to my understanding the flag mitigation should be enough + removing the vulnerable class is not supported for this version.

Many thanks!

I'd encourage you to read through Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31, it's very comprehensive.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.