Docker image vulnerabilies

Hi,

We've seen on docker hub somes criticals vulnerabilities on the latest elasticsearch docker image.

CVE-2014-6277
CVE-2014-6278
CVE-2019-9924
CVE-2018-15686
CVE-2018-14618
CVE-2019-8457
CVE-2019-9169
...
how can we know when thoses vulnerabilies will be tackled ?
is it planned ?

Thank you in advance,
Yohan

Hey.

The official images are not in DockerHub.
Have a look at https://www.elastic.co/guide/en/elasticsearch/reference/current/docker.html

HTH

Hi @Yohan_al,

I wouldn't expect any of these to affect our latest container images, but I would also like to better understand what's happening here. Can you let me know what the container names are and what scanner is giving these results?

If you're not comfortable posting what the image names are, please mail security@elastic.co and we can followup there.

Josh Bressers
Elastic Product Security

1 Like

Hello guys, thank you for your quick feedback .
As David says, we was using image based on docker hub (10 millions download). Is there really a difference ? it seems that image Id are the same between the two repositories (docker hub and elastic repository).

if you re loggin on docker hub, you saw on tags page potentials vulnerabilities :
here : https://hub.docker.com/_/elasticsearch?tab=tags
screenshot : https://ibb.co/6HPVg9D

I don't know wich scanner is used on docker hub, may be you will find what you re looking for in their documentation.

I'm sorry. That was wrong. Images in Docker hub are like mirrors to our Docker repository.

1 Like

Hi @Yohan_al,

I took a look at this list (I didn't know this was a thing even, so thanks for that). Everything on that list is a false positive. I'll go over them below.

https://hub.docker.com/_/elasticsearch/scans/library/elasticsearch/7.1.1

  • expat 1.95.7
    • We don't use this library or any of it's functionality in any way. It's part of apr (and we don't use features that touch expat there either).
  • lucene
    • This looks like a problem with the scanner. The flaw in question is for Solr only
  • jackson-databind 2.8.11.3
    • This is known. We don't use jackson-databind in a vulnerable manner and are planning to upgrade in a future release. As we're not vulnerable to the flaws the upgrade is not a high priority.
  • guava
    • This is known. We don't use guava in a vulnerable manner and are planning to upgrade in a future release. As we're not vulnerable to the flaws the upgrade is not a high priority.
  • apr
    • We do not use the functions in question

Let me know if you need anything else.

Thanks

3 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.