DockerHub showing Log4Shell vulnerability on supported version

Despite official announcement saying that supported versions of Elasticsearch (6.8.9+, 7.8+) can not be exploited because of Elasticsearch’s usage of the Java Security Manager, dockerhub is showing images as "Log4Shell" detected.

I suppose that those Elasticsearch versions are secure because of the official announcement, but due to this global paranoia, it would be nice to clarify explicitly in the announcement that, despite dockerhub showing "Log4Shell" detected, these supported versions are secure.

If not clarified, it would be nice to have a patch version also for versions of Elasticsearch (6.8.9+, 7.8+), because it feels kind of "forced" for users between 7.0 and 7.16, to update to the patched version.

I am not complaining, I'm glad Elasticsearch take such effort on mitigating and patching things, I'm just suggesting because there is a lot of misinformation about Elasticsearch and this specific vulnerability.

Best Regards, and I hope this logpocalipsis ends soon :slight_smile:

https://twitter.com/justincormack/status/1471519246811209736 is relevant to this, but it looks like Docker is looking after it.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.