Elastic search 7.13 found vulnerable in Twistlock report

We are using Elastic search 7.13 version and in recent twist lock vulnerability scan this jar reported for 2 High vulnerabilities.
CVE-2020-25649
CVE-2020-28491

com.fasterxml.jackson.core_jackson-databind - 2.10.4

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

com.fasterxml.jackson.dataformat_jackson-dataformat-cbor - 2.10.4

This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.

Let us know how to tackle this issue.

Upgrade to 7.15.0.

We checked Elasticsearch 7.15 version as well but found the same issue. These specific vulnerabilities mentioned were reported more than a year, and as per CVE details NVD - CVE-2020-25649 it is not resolved yet. Kindly let us know how we can get quick fix for this or any alternative

image tag severityCHML cvss cve status packageName packageVersion
cp.stg.icr.io/cp/cpd/elasticsearch:7.15.0 7.15.0 H 7.5 CVE-2020-28491 fixed in 2.11.4, 2.12.1 com.fasterxml.jackson.dataformat_jackson-dataformat-cbor 2.10.4
cp.stg.icr.io/cp/cpd/elasticsearch:7.15.0 7.15.0 H 7.5 CVE-2020-25649 fixed in 2.10.5.1, 2.9.10.7, 2.6.7.4 com.fasterxml.jackson.core_jackson-databind 2.10.4
cp.stg.icr.io/cp/cpd/elasticsearch:7.15.0 7.15.0 H

If you believe Elasticsearch has a security vulnerability you should report it via the proper channels and deploy a newer version once a fix is available. Note that vulnerabilities in underlying libraries often don't translate into vulnerabilities in the application that uses them, because the application may not be using the vulnerable feature.

3 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.