Does Elasticsearch and kibana use bzip2

Hi,
Does kibana or Elasticsearch use bzip2 ? If yes, How can I check what is the current version?

In what capacity are you wondering about? Do we have a distribution available that is of type bzip2? Or do we utilize bzip2 at all within our product?

1 Like

Hi @tylersmalley, I'm wondering if Elasticsearch or kibana utilize bzip2. To give some more context, Actually I was looking at one of the CVE( CVE-2019-12900 ). In our scan for CVE's, elasticsearch and kibana got flagged for this particular CVE. Although when I tried to search for the verion used by kibana and elasticsearch, I failed to find if elasticsearch and kibana utilises bzip2 or not.

Hi @nkarthik what version of the stack you're talking about? Also are you talking about Elasticsearch/Kibana distributions or about our Docker images? Can you give us a little bit more details?

Thanks,
Oleg

Hi @azasypkin, I'm currently using version 7.3.2 stack. I'm referring to the Docker Image. Does elasticsearch/kibana v7.3.2 utilize bzip2 package. If Yes, how can I find bzip2 current version ?

Got it, thanks. @nkarthik would you mind forwarding your question to security@elastic.co?

I'd suggest using this address to ask any CVE-related questions or concerns in the future as well. This way you'll always get an accurate answer.

Thanks,
Oleg

Sure, Thanks @azasypkin.

Here is the response I sent to @nkarthik via our security@ address (just to close the loop for anyone paying attention).

Kibana does not use the bzip2 in any way. There is no way a remote attacker could exploit this vulnerability.

The container in question contains the package bzip2-libs which appears to be where the vulnerability in question is coming from.

I looked up Red Hat's response to this issue, they do not plan to fix it due to it having a low impact.
https://access.redhat.com/security/cve/cve-2019-12900

We follow Red Hat on these issues, if they do not update the package, there is nothing we can do in our containers as we are not operating system vendors.

2 Likes

Thank you @joshbressers for confirming.