Does Elasticsearch and kibana use bzip2

nkarthik · March 17, 2021, 12:41pm

Hi,
Does kibana or Elasticsearch use bzip2 ? If yes, How can I check what is the current version?

tylersmalley · March 17, 2021, 7:11pm

In what capacity are you wondering about? Do we have a distribution available that is of type bzip2? Or do we utilize bzip2 at all within our product?

nkarthik · March 22, 2021, 3:40am

Hi @tylersmalley, I'm wondering if Elasticsearch or kibana utilize bzip2. To give some more context, Actually I was looking at one of the CVE( CVE-2019-12900 ). In our scan for CVE's, elasticsearch and kibana got flagged for this particular CVE. Although when I tried to search for the verion used by kibana and elasticsearch, I failed to find if elasticsearch and kibana utilises bzip2 or not.

azasypkin · March 22, 2021, 9:23am

Hi @nkarthik what version of the stack you're talking about? Also are you talking about Elasticsearch/Kibana distributions or about our Docker images? Can you give us a little bit more details?

Thanks,
Oleg

nkarthik · March 22, 2021, 10:53am

Hi @azasypkin, I'm currently using version 7.3.2 stack. I'm referring to the Docker Image. Does elasticsearch/kibana v7.3.2 utilize bzip2 package. If Yes, how can I find bzip2 current version ?

azasypkin · March 22, 2021, 2:24pm

Got it, thanks. @nkarthik would you mind forwarding your question to security@elastic.co?

I'd suggest using this address to ask any CVE-related questions or concerns in the future as well. This way you'll always get an accurate answer.

Thanks,
Oleg

nkarthik · March 22, 2021, 2:50pm

Sure, Thanks @azasypkin.

joshbressers · March 24, 2021, 6:14pm

Here is the response I sent to @nkarthik via our security@ address (just to close the loop for anyone paying attention).

Kibana does not use the bzip2 in any way. There is no way a remote attacker could exploit this vulnerability.

The container in question contains the package bzip2-libs which appears to be where the vulnerability in question is coming from.

I looked up Red Hat's response to this issue, they do not plan to fix it due to it having a low impact.
https://access.redhat.com/security/cve/cve-2019-12900

We follow Red Hat on these issues, if they do not update the package, there is nothing we can do in our containers as we are not operating system vendors.

nkarthik · March 26, 2021, 3:07am

Thank you @joshbressers for confirming.

system · April 23, 2021, 3:08am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.