Lucene vulnerability in elastic search

We are seeing that Vulnerable version of Apache Lucene[8.11.3] is consumed in Elasticsearch. It is related to the Apache Lucene replicator. Here it is recommended to upgrade to 9.12.0 of Lucene but the elasticsearch highest version (8.15.3) consists 9.11.1 version of Lucene. Wanted to understand what is the plan from ES side to fix this vulnerability?

Hello and welcome,

You need to send an e-mail to security@elastic.co, Elastic does not comment on possible vulnerabilities on public forums.

That is no longer the latest version of Elasticsearch. Elasticsearch 8.16 was recently released and seem to use Lucene 9.12 according to the release note. I would recommend you upgrade.

1 Like