Elastic Open Crawler - Recent Container CVEs

alongaks · April 9, 2026, 2:51pm

Hello,

I have been using the Elastic Open Crawler for some time now. In general, it has been a nice, functional replacement for the deprecated Enterprise Search Crawler.

When my Elastic Open Crawler container(s) launch, they launch with either the docker.elastic.co/integrations/crawler:latest or docker.elastic.co/integrations/crawler:0.4.2 image.

docker ps
CONTAINER ID   IMAGE                                           COMMAND       CREATED        STATUS        PORTS     NAMES
6c52ec83e23e   docker.elastic.co/integrations/crawler:latest   "/bin/bash"   20 hours ago   Up 20 hours             crawler

bash-5.3$ cat product_version
0.4.2

Within the running container the rack version appears to be different than the recently pushed CVE fixes:

bash-5.3$ egrep 'rack|java' Gemfile Gemfile.lock
Gemfile:  gem 'rack', '~> 2.2.14'

Gemfile.lock:    rack (2.2.16)
Gemfile.lock:      rack (>= 1.0.0)
Gemfile.lock:  universal-java-17
Gemfile.lock:  universal-java-21
Gemfile.lock:  universal-java-22
Gemfile.lock:  universal-java-23
Gemfile.lock:  rack (~> 2.2.14)

And I suppose for the other ruby-maven removal CVE in the Dockerfile.

Topic		Replies	Views
Regarding the security of the ELK stack docker images Elasticsearch	3	527	June 16, 2021
Docker image vulnerabilies Elasticsearch docker	6	1554	July 4, 2019
Java update from 1.8.0_144 -> 1.8.0_191 - docker containers/images Elastic Cloud Enterprise (ECE) docker	4	661	June 21, 2020
Elastic Stack 8.4.0, 7.17.6 Security Statement Security Announcements docker	1	6292	November 4, 2022
Security vulnerabilities in Elasticsearch docker images - v 8.2.0 Elasticsearch docker	3	501	June 23, 2022

Elastic Open Crawler - Recent Container CVEs

Related topics