Elasticsearch Vulnerabilities

Do these security vulnerabilities apply to the OSS distributions of Elasticsearch?




From https://www.elastic.co/community/security/

Thanks

For the first one it applies only on enterprise version see : Elastic Stack 7.9.3 and 6.8.13 Security Update

I suggest you to dig a bit more for the others since it's a interesting question.

I wonder how they manage oss and enterprise security

The OSS version does not come with any security at all, which in itself is a big vulnerability.

Thanks. Some say "All versions of Elasticsearch before 7.9.2 and 6.8.13 are affected by this flaw" but I don't see how that can be the case if using OSS

Can you create a CVE for a system without security? If you care about security you should not run a vanilla OSS Elasticsearch cluster.

These only affect Elasticsearch running with security enabled, they do not affect the OSS version.

As pointed out, I would suggest using our free security

2 Likes

Thanks for confirming. A long story but it's specifically the OSS distribution I needed to know about just now. All the points re security otherwise are valid and we are aware of the options.

Thanks for the comments everyone. Much appreciated.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.