I'm using ES version 5.6.X, and I would like to change snakeyaml package version to the one with the fix to CVE-2022-1471 - Meaning, I need to change the package version from 1.33 (I guess..) to 2.0 . How can I do that? Should it be in my DockerFile? Or in elasticsearch.yml file?

Elasticsearch 5 is very old and is no longer maintained. We have never tested running Elasticsearch 5.6 with any version of SnakeYaml other than the one that it shipped with. It might work, but there are no guarantees. If you care about resolving vulnerabilities then you need to migrate to a maint…

Fixing snakeyaml vulnerability (CVE-2022-1471) on older ES versions

Elastic Stack Elasticsearch

Aviv_Nevo (Aviv Nevo) March 16, 2023, 1:24pm 5

Thanks @frens !
So it seems like this CVE still exists in latest ES version

I've posted a new topic on that - mainly to understand the plan to fix it, and how I can change this package version manually.

1 Like

Topic		Replies	Views
Snakeyaml vulnerability (CVE-2022-1471) on latest ES version Elasticsearch elastic-stack-security	2	1378	April 13, 2023
CVE-2022-1471 is not listed in Security Issues site Elasticsearch	2	569	May 15, 2023
Elasticsearch 7.17 and logstash7.17 have security issues with snakeyaml low versions and need to be upgraded to 2.0 or higher Elasticsearch	1	16	October 31, 2024
Which version of elasticsearch solve the CVE-2022-1471(snakeyaml need bump to 2.0 version) Kibana	2	372	April 9, 2024
CVE-2022-1471 is not listed in Security Issues site Logstash	2	274	July 19, 2023

Fixing snakeyaml vulnerability (CVE-2022-1471) on older ES versions

Related topics