If you believe Elasticsearch has a security vulnerability you should report it via the proper channels and deploy a newer version once a fix is available. Note that vulnerabilities in underlying libraries often don't translate into vulnerabilities in the application that uses them, because the application may not be using the vulnerable feature.
3 Likes