We are using Elastic search 7.13 version and in recent twist lock vulnerability scan this jar reported for 2 High vulnerabilities. CVE-2020-25649 CVE-2020-28491
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.
We checked Elasticsearch 7.15 version as well but found the same issue. These specific vulnerabilities mentioned were reported more than a year, and as per CVE details NVD - CVE-2020-25649 it is not resolved yet. Kindly let us know how we can get quick fix for this or any alternative
If you believe Elasticsearch has a security vulnerability you should report it via the proper channels and deploy a newer version once a fix is available. Note that vulnerabilities in underlying libraries often don't translate into vulnerabilities in the application that uses them, because the application may not be using the vulnerable feature.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.