Hi,
As part of the vulnerability assessment (VA) scan on our ELK servers, we identified that the bundled OpenJDK version is affected by multiple vulnerabilities. We are using a self-managed cluster. We did upgrade the ELK stack from version 8.13.2 to 8.15.2, but the OpenJDK vulnerabilities still remain unresolved.
Current Elasticsearch Version: 8.15.2
Path: /usr/share/elasticsearch/jdk/
Installed Bundled JDK Version: 22.0.1
The reported CVE IDs are:
- CVE-2024-21131
- CVE-2024-21138
- CVE-2024-21140
- CVE-2024-21144
- CVE-2024-21145
- CVE-2024-21147
Our security team has suggested upgrading to an OpenJDK version greater than 22.0.1.
Is it possible to manually upgrade the bundled OpenJDK version? If so, how can this be done? If not, what is the recommended solution to resolve these vulnerabilities?
Alternatively, do we need to upgrade the entire ELK stack again, as we did previously, to a newer version? (This approach isn’t ideal, as it would require manual intervention each time a new VA is discovered.)
I've already gone through Java (JVM) Version, but it didn't helped.
I would appreciate any guidance on this matter.
Thanks.