Is the dependent jars can be upgraded

mohammed_rizwan · March 31, 2021, 5:53am

Hi team,

We are using the elastic search 7.2.0 which depends on snakeyaml version 1.17.
Snakeyaml 1.17 has security vulnerabilities and we plan to upgrade it to the latest version 1.28.

Is upgrading the dependant snakeyaml jars alone, recommended?
Will elastic search works with snakeyaml 1.28 or do we have to stick with snakeyaml 1.17?

Thanks,
Mohammed

dadoonet · March 31, 2021, 6:17am

Welcome!

The recommendation is to upgrade Elasticsearch to 7.12.0 which is the latest.

warkolm · March 31, 2021, 7:32am

And, to be clear, that is the only supported upgrade path to resolve issues like this.
If you start upgrading individual JARs, you are running risks that we cannot help fix if things go wrong.

mohammed_rizwan · April 1, 2021, 6:43am

Thanks, @dadoonet, and @warkolm for the quick reply

system · April 29, 2021, 6:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elasticsearch 7.17 and logstash7.17 have security issues with snakeyaml low versions and need to be upgraded to 2.0 or higher Elasticsearch	1	16	October 31, 2024
Which version of elasticsearch solve the CVE-2022-1471(snakeyaml need bump to 2.0 version) Kibana	2	372	April 9, 2024
Fixing snakeyaml vulnerability (CVE-2022-1471) on older ES versions Elasticsearch docker	6	3410	April 13, 2023
Snakeyaml vulnerability (CVE-2022-1471) on latest ES version Elasticsearch elastic-stack-security	2	1378	April 13, 2023
CVE-2022-1471 is not listed in Security Issues site Elasticsearch	2	569	May 15, 2023

Is the dependent jars can be upgraded

Related topics