Hi there, is the Elastic software affected by CVE-2022-42889, and if so, what are the actions recommended? Thanks.
Please see Security issues | Elastic;
Users and customers may report any other potential security issues to security@elastic.co. This address can be used for product security related inquiries or requests about other security topics that are not explicitly mentioned here. We can accept only security issues at this address. Bug reports should be directed to the bug database of the project you're reporting it on or raised to Elastic Support.
If you would like to encrypt your message to us, please use our PGP key. The fingerprint is
1224 D1A5 72A7 3755 B61A 377B 14D6 5EE0 D2AE 61D2
The key is available via keyservers; search for 'security@elastic.co'.
Hi @warkolm,
Thanks for the link to "Security issues". However, the current absence of an advisory concerning CVE-2022-42889 does not conclusively say whether you have looked into the issue at all.
A clear statement whether Elastic products are affected or not by CVE-2022-42889 would be highly appreciated.
Thanks and best regards,
Michael
1 Like
Elastic products do not depend on commons-text, do not bundle commons-text and thus are not affected by CVE-2022-42889 in any way.
Thanks for the link to "Security issues". However, the current absence of an advisory concerning CVE-2022-42889 does not conclusively say whether you have looked into the issue at all.
Thank you for your comment @mgrafl . As you can probably understand, there are tens of CVEs vulnerabilities being published every day. We cannot be adding an advisory for each one of them that does not affect Elastic products in any way as the noise would be so high that it would drown all the legitimate advisories that our users need to be informed about.
4 Likes
Hello. Why is commons-text-1.3.jar included in support-diagnostics? Seems it is not required here.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.