Hi ,
We recentely upgraded the ELK cluster from the 7.15.1 to 7.17.10 in order to fix security vulnerabilities , however after upgrading we are still have the open JDK vulnerability on Elasticsearch servers :
OpenJDK 7 <= 7u281 / 8 <= 8u272 / 11.0.0 <= 11.0.9 / 13.0.0 <= 13.0.5 /
15.0.0 <= 15.0.1 Vulnerability (2021-01-19)
But for kibana and logstach server we don't have this vulnerability
Could you plase provide help on how to fix that , is it possible to upgrade the openjdk on those elastick search servers whithout upgrading the ELK cluster to a higher version ?
Or we need to upgrade the whole ELK to 8.6 version .
You can see JVM and Elasticsearch compatibility here - Support Matrix | Elastic. If yoou can upgrade to 8.X you will be in a better position, otherwise use OpenJDK 20.
Note that we strongly recommend using the bundled JDK, since we treat it as a dependency of Elasticsearch. An apparent vulnerability in a dependency such as the JDK is often not a vulnerability in ES, perhaps because ES avoids the vulnerable feature or because it includes other protections which neutralise the problem. If you believe ES (including its bundled JDK) is genuinely vulnerable then please report the problem as per this page: Security issues | Elastic
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.