How to fix the security problem of the EPR and logstash 8.15.0

jevonsnotes · August 16, 2024, 6:17am

Elastic Package Registry and logstash has been scanned for the following vulnerabilities，is there anyway to fix them ?

version 8.15.0

EPR:

CVE-2023-42365
CVE-2023-42364
CVE-2023-42366
CVE-2023-42363
CVE-2023-6992
CVE-2024-7264
CVE-2024-6197

busybox 1.36.1-r7 no recommend
zlib 1.3.1-r0 recommend 1.3.1-r1
curl 8.7.1-r0 recommend 8.9.1-r1

Logstash

rexml 3.3.2 recommend 3.3.3
janino 3.1.0 recommend 3.1.10

CVE-2024-41123
CVE-2024-41946
CVE-2023-33546
how to upgrade or remove them?

leandrojmp · August 16, 2024, 1:15pm

You can't upgrade them, only Elastic can.

You need to send an e-mail to security@elastic.co with those CVEs so Elastic can analyse them and decide if they impact Logstash or not.

jevonsnotes · August 19, 2024, 1:19am

ok，thks @leandrojmp

jevonsnotes · August 19, 2024, 1:26am

hi,about EPR vulnerability,Can you provide specific repair steps? i don't know how to upgrade them directly.
I am using the air-gapped docker image of EPR. thks

Topic		Replies	Views
ELK Security Kibana	6	84	August 26, 2024
Fix for CVE-2023-52428 in logstash Elastic Security docker	3	65	August 14, 2024
CVE-2022-1471 Still Applicable in latest 7.* and 8. *, not listed on Security Issues Page Endpoint Security elastic-stack-security	4	875	October 12, 2023
Expected resolution for some vulnerabilities found Elasticsearch elastic-stack-security	1	42	November 9, 2024
Log4j2 vulnerability mitigation Logstash	7	1222	July 3, 2023

How to fix the security problem of the EPR and logstash 8.15.0

Related topics