Critical vulns in logstash docker: CVE-2022-46337, CVE-2021-26291

AdrianTT · December 5, 2023, 12:10pm

trivy reports in the logstash:8.11 docker image the following critical vulns:

CVE-2022-46337 in org.apache.derby:derby (derby-10.14.1.0.jar)
CVE-2021-26291 in org.apache.maven:maven-compat (maven-compat-3.3.9.jar), org.apache.maven:maven-core (maven-core-3.3.9.jar)

These CVEs are not listed on the security issues page.
https://www.elastic.co/community/security

There's no acknowledgment of it or recommendations for remediation. Please advise.

Badger · December 5, 2023, 5:11pm

You should enquire via email to security@elastic.co. They will not respond to a request here.

system · January 2, 2024, 5:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
CVE-2022-1471 Still Applicable in latest 7.* and 8. *, not listed on Security Issues Page Endpoint Security elastic-stack-security	4	875	October 12, 2023
Security vulnerability CVE-2021-46848 in Logstash base OS image Logstash docker	1	280	December 1, 2022
Fix for CVE-2023-52428 in logstash Elastic Security docker	3	65	August 14, 2024
Elastic Stack 8.4.0, 7.17.6 Security Statement Security Announcements docker	1	6129	November 4, 2022
Vulnerabilities in docker image elasticsearch/elasticsearch:7.17.8 Elasticsearch docker	6	796	February 15, 2023