Issue with OpenJDK Vulnerabilities (CVE-2024) in Elasticsearch 8.15.2

DavidTurner · April 23, 2025, 9:46am

There's quite a lot of breaking changes in the release notes not to mention other stuff that landed in 9.x but hasn't been backported to 8.x.

I know you said you didn't mean to be rude but this was pretty rude @RainTown. It is not obvious how to check the JDK version bundled with each version, and downloading each 300MiB+ release just to look at the JDK version is not exactly user-friendly.

You can determine the JDK version for each release by looking at the source here:

github.com/elastic/elasticsearch

build-tools-internal/version.properties

v8.18.0


      
          elasticsearch     = 8.18.0
          lucene            = 9.12.1
          
          bundled_jdk_vendor = openjdk
          bundled_jdk = 24+36@1f9ff9062db4449d8ca828c504ffae90
          # optional dependencies
          spatial4j         = 0.7
          jts               = 1.15.0
          jackson           = 2.15.0
          snakeyaml         = 2.0
          icu4j             = 68.2
          supercsv          = 2.4.0
          log4j             = 2.19.0
          slf4j             = 2.0.6
          ecsLogging        = 1.2.0

Adjust the v8.18.0 in the URL to refer to other versions as you see fit.

Topic		Replies	Views
Elasticsearch 8.15.2: OpenJDK CVEs Elasticsearch elastic-stack-security	4	60	April 21, 2025
Issue with OpenJDK Vulnerabilities (CVE-2024) in Elasticsearch 8.15.2 Elasticsearch elastic-stack-security	4	139	April 21, 2025
Vulnerable Java version bundled with 8.14.3 & 8.15 Elasticsearch elastic-stack-security	8	762	September 11, 2024
ELK upgrade to 7.17.10 Elasticsearch	3	219	July 19, 2023
151209 (4) - OpenJDK 7 <= 7u281 / 8 <= 8u272 / 11.0.0 <= 11.0.9 / 13.0.0 <= 13.0.5 / 15.0.0 <= 15.0.1 Vulnerability (2021-01-19) Elasticsearch	8	936	February 17, 2023

Issue with OpenJDK Vulnerabilities (CVE-2024) in Elasticsearch 8.15.2

Related topics