High Vulnerabilities found in Elasticsearch docker image v7.17.9

hexer338 · February 20, 2023, 12:46pm

Hi Elastic Team,
We used aquasec's trivy scan(Trivy) to do vuln. scan on elasticsearch docker image: docker.elastic.co/elasticsearch/elasticsearch:7.17.9

We found 4 HIGH severity vulnerabilities below:
CVE-2023-0286
CVE-2021-37136
CVE-2021-37137
CVE-2021-40690

Can you triage this and provide any necessary remediations for above vulnerabilities.
FYI we did not find any remediation steps on Security issues | Elastic page.

Here is the full scan report: Vulnerability scan of Elasticsearch v7.17.9 docker image using Trivy · GitHub

carly.richmond · February 20, 2023, 12:52pm

Hi @hexer338,

The Security Issues page you references provides a link to the bug bounty programme in the Responsible Vulnerability Disclosure section. Did you submit a report this issue there? If not I would recommend that's the best place to report your findings.

Thanks for raising these issues!

warkolm · February 20, 2023, 8:58pm

Also on that page;

Users and customers may report any other potential security issues to security@elastic.co.

system · March 20, 2023, 8:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Vulnerabilities in docker image elasticsearch/elasticsearch:7.17.8 Elasticsearch docker	6	796	February 15, 2023
Security Vulnerability in ELK stack during docker scan by twistlock Elasticsearch	2	543	June 22, 2021
Security vulnerabilities in Elasticsearch docker images - v 8.2.0 Elasticsearch docker	3	449	June 23, 2022
Vulnerabilities in latest docker image of Elasticsearch 8.3.1 Elasticsearch docker	2	757	August 16, 2022
CVEs present in the latest version Elasticsearch	2	461	June 6, 2023

High Vulnerabilities found in Elasticsearch docker image v7.17.9

Related topics