Hi everyone,
Your advice would be very much appreciated!
Is Elasticsearch version 6.8.22 or Elastic 7.16.2 considered vulnerable? Do we need to perform any manual mitigation?
Also, having the Elasticsearch version 6.5.3 + applying the flag enough? Or do we need to take additional steps?
I am aware that there is the latest version which is completely safe 6.8.23 and 7.16.3 but we use Bitbucket and need the Elasticsearch version to be supported for that.
Is Elasticsearch 6.5.3 is vulnerable to CVE-2021-45046, CVE-2021-44228 ? Any other vulnerabilities we should be aware of? Is applying the flag mitigation while we have Jave build 1.8.0_231-b11 is the complete fix?
Elasticsearch versions 6.8.22 & 7.16.2 were addressed with both VCE's mentioned or are there any additional we should be aware of? Is having jar version 2.17.0 is the complete solution for these vulnerabilities?
What is the difference between jar 2.17.0 and jar 2.17.1 ?
What are the fixes that were delivered in Elasticsearch 6.8.23 & 7.16.3
I am asking as we keep being asked by the security team to perform the manual mitigation in the current 5.6.3 version and remove the vulnerable class, while according to my understanding the flag mitigation should be enough + removing the vulnerable class is not supported for this version.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.