The latest versions of 7.* and 8.* in the Elasticsearch image still contain CRITICAL security vulnerability for CVE-2022-1471, snakeyaml. When is this going to be addressed? Are there suggested workarounds or mitigations?
Two other threads posted this months ago, but were simply sent to the Security center page. However, this page doesn't even list this CVE, and there's no acknowledgement of it or recommendations for remediation. Please advise.
Whilst we are on this topic there seem to be no less than 4 Critical CVE in the latest logstash container, the snakeyaml one Anthony mentions and:
[CVE-2020-14001]
[CVE-2023-40175]
[CVE-2022-25648]
That's in 7.17.13
@aduerr Please see Elasticsearch Security Statement regarding CVE-2022-1471
@Michael_Day1 our standard policy applies:
Elastic's security reporting guidelines are available at Security issues | Elastic.
Per those guidelines, all reports of potential security issues or vulnerabilities should be sent via email to security@elastic.co.
We are unable to discuss potential issues of this nature here. Please send your report to the email address above, where it can be appropriately handled.
Thank you for the update.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.