Elastic Statement for Oracle July Critical Patch Update CVE-2022-21540, CVE-2022-21541, CVE-2022-21549, CVE-2022-25647, CVE-2022-34169
Summary: Oracle released their July Critical Patch Update for Java SE which contains 5 CVEs. Elastic has analyzed the flaws described by these CVEs and the information publicly available and determined that these do not introduce a vulnerability for any of our products or services. Out of abundance of caution, the JDK version that is bundled with our products has been updated to a non affected version with our latest releases.
Elasticsearch
Given the CVE description, the changes in the JDK source code and the information publicly available we believe that Elasticsearch is not affected by any of the aforementioned flaws.
Elasticsearch bundles a JDK with all download artifacts ( archives, RPM/DEB packages, Docker images ).
Elasticsearch has already shipped with an unaffected version of JDK, 18.0.2, since version 8.3.3. Versions 8.4.0 and 7.17.6 that are released on 2022-08-24 also bundle JDK 18.0.2.
Logstash
Given the CVE description, the changes in the JDK source code and the information publicly available we believe that Logstash is not affected by any of the aforementioned flaws.
Logstash bundles a JDK with all download artifacts ( archives, RPM/DEB packages, Docker images ).
Logstash versions 8.4.0 and 7.17.6 that are released on 2022-08-24 bundle unaffected JDK versions. Namely, Logstash version 8.4.0 bundles JDK 17.0.4 and Logstash version 7.17.6 bundles JDK 11.0.16.
Enterprise Search
Given the CVE description, the changes in the JDK source code and the information publicly available we believe that Enterprise Search is not affected by any of the aforementioned flaws. Enterprise Search bundles a JDK only with our Docker images.
Enterprise Search Docker images for versions 8.4.0 and 7.17.6 that are released on 2022-08-24 bundle unaffected JDK versions. Namely, Enterprise Search version 8.4.0 Docker image bundles JDK 11.0.16 and Enterprise Search version 7.17.6 Docker image bundles JDK 8u345.