I wouldn't expect any of these to affect our latest container images, but I would also like to better understand what's happening here. Can you let me know what the container names are and what scanner is giving these results?
If you're not comfortable posting what the image names are, please mail security@elastic.co and we can followup there.
Hello guys, thank you for your quick feedback .
As David says, we was using image based on docker hub (10 millions download). Is there really a difference ? it seems that image Id are the same between the two repositories (docker hub and elastic repository).
I took a look at this list (I didn't know this was a thing even, so thanks for that). Everything on that list is a false positive. I'll go over them below.
We don't use this library or any of it's functionality in any way. It's part of apr (and we don't use features that touch expat there either).
lucene
This looks like a problem with the scanner. The flaw in question is for Solr only
jackson-databind 2.8.11.3
This is known. We don't use jackson-databind in a vulnerable manner and are planning to upgrade in a future release. As we're not vulnerable to the flaws the upgrade is not a high priority.
guava
This is known. We don't use guava in a vulnerable manner and are planning to upgrade in a future release. As we're not vulnerable to the flaws the upgrade is not a high priority.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.