Docker image vulnerabilies

Yohan_al · June 5, 2019, 11:38pm

Hi,

We've seen on docker hub somes criticals vulnerabilities on the latest elasticsearch docker image.

CVE-2014-6277
CVE-2014-6278
CVE-2019-9924
CVE-2018-15686
CVE-2018-14618
CVE-2019-8457
CVE-2019-9169
...
how can we know when thoses vulnerabilies will be tackled ?
is it planned ?

Thank you in advance,
Yohan

dadoonet · June 6, 2019, 12:57am

Hey.

The official images are not in DockerHub.
Have a look at https://www.elastic.co/guide/en/elasticsearch/reference/current/docker.html

HTH

joshbressers · June 6, 2019, 1:15am

Hi @Yohan_al,

I wouldn't expect any of these to affect our latest container images, but I would also like to better understand what's happening here. Can you let me know what the container names are and what scanner is giving these results?

If you're not comfortable posting what the image names are, please mail security@elastic.co and we can followup there.

Josh Bressers
Elastic Product Security

Yohan_al · June 6, 2019, 4:49am

Hello guys, thank you for your quick feedback .
As David says, we was using image based on docker hub (10 millions download). Is there really a difference ? it seems that image Id are the same between the two repositories (docker hub and elastic repository).

if you re loggin on docker hub, you saw on tags page potentials vulnerabilities :
here : https://hub.docker.com/_/elasticsearch?tab=tags
screenshot : https://ibb.co/6HPVg9D

I don't know wich scanner is used on docker hub, may be you will find what you re looking for in their documentation.

dadoonet · June 6, 2019, 5:11am

I'm sorry. That was wrong. Images in Docker hub are like mirrors to our Docker repository.

joshbressers · June 6, 2019, 6:22pm

Hi @Yohan_al,

I took a look at this list (I didn't know this was a thing even, so thanks for that). Everything on that list is a false positive. I'll go over them below.

https://hub.docker.com/_/elasticsearch/scans/library/elasticsearch/7.1.1

expat 1.95.7
- We don't use this library or any of it's functionality in any way. It's part of apr (and we don't use features that touch expat there either).
lucene
- This looks like a problem with the scanner. The flaw in question is for Solr only
jackson-databind 2.8.11.3
- This is known. We don't use jackson-databind in a vulnerable manner and are planning to upgrade in a future release. As we're not vulnerable to the flaws the upgrade is not a high priority.
guava
- This is known. We don't use guava in a vulnerable manner and are planning to upgrade in a future release. As we're not vulnerable to the flaws the upgrade is not a high priority.
apr
- We do not use the functions in question

Let me know if you need anything else.

Thanks

system · July 4, 2019, 6:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Vulnerabilities in docker image elasticsearch/elasticsearch:7.17.8 Elasticsearch docker	6	796	February 15, 2023
Security Vulnerability in ELK stack during docker scan by twistlock Elasticsearch	2	543	June 22, 2021
High Vulnerabilities found in Elasticsearch docker image v7.17.9 Elasticsearch docker	3	735	March 20, 2023
Security vulnerabilities in Elasticsearch docker images - v 8.2.0 Elasticsearch docker	3	449	June 23, 2022
Fix for CVE-2021-27568 in 8.1.2 Elastic Cloud on Kubernetes (ECK) docker	2	429	May 3, 2022

Docker image vulnerabilies

Related topics