We observed there are several components used in Elasticsearch package(8.17.1) which even when upgraded refer to old libraries with Open Vulnerabilities. In our orgnaization, these vulnerabilities are flagged on a regular basis even when we upgrade to latest versions. How do we know which version of these vulnerabilties will be fixed and in what timelines so that we can update our security scanning team ?
Component name and version
ubuntu:focal:bash:5.0-6ubuntu1.2
net.minidev:json-smart:2.5.0
net.minidev:json-smart:2.5.1
ubuntu:focal:libc6:2.31-0ubuntu9.16
ubuntu:focal:libc-bin:2.31-0ubuntu9.16
ubuntu:focal:libhogweed5:3.5.1+really3.5.1-2ubuntu0.2
ubuntu:focal:libidn2-0:2.2.0-2
ubuntu:focal:liblz4-1:1.9.2-2ubuntu0.20.04.1
ubuntu:focal:liblzma5:5.2.4-1ubuntu1.1
ubuntu:focal:libncurses6:6.2-0ubuntu2.1
ubuntu:focal:libncursesw6:6.2-0ubuntu2.1
ubuntu:focal:libnettle7:3.5.1+really3.5.1-2ubuntu0.2
ubuntu:focal:libpcre3:2:8.39-12ubuntu0.1
ubuntu:focal:libtinfo6:6.2-0ubuntu2.1
ubuntu:focal:libzstd1:1.4.4+dfsg-3ubuntu0.1
org.apache.logging.log4j:log4j-core:2.12.4
ubuntu:focal:ncurses-base:6.2-0ubuntu2.1
ubuntu:focal:ncurses-bin:6.2-0ubuntu2.1
io.netty:netty-handler:4.1.115.final
Welcome! You mention that the issue persists even with upgraded versions, but you are using 8.17.1 which isn't the latest. Have you checked if these dependencies flag with 8.17.6, 8.18.1 or 9.0.1?
We have not upgraded to the latest since we have dependencies with other software packages. However, I had been comparing with several upgraded versions and it does not seem to get fixed.
That's a little vague. But note you are apparently using Ubuntu Focal aka Ubuntu 20.04 LTS, released April 2020, so it is now 5+ years old, and out of vendor support.
e.g. the version of bash included therein is unlikely to be updated any more, same for some of the other stuff on your list (ncurses/pcre/..), and these things have little or nothing to do with Elastic.
By all means report the CVEs to Elastic Security, but please focus on things supplied by Elastic and not the OS vendor (and make sure to understand the difference!).
That's actually quite poor, point taken. I saw you updated the GitHub issue.
Well, I don't the specific CVE the OP's security audit tool thingy thinks might need fixed, but the bash in 20.04 LTS has this as last entry in Changelog
$ apt-get changelog bash
bash (5.0-6ubuntu1.2) focal-security; urgency=medium
* SECURITY UPDATE: privilege gain via setuid
- debian/patches/CVE-2019-18276.patch: replace the use of
setuid and setgid when possible with setresuid and setresgid,
respectively.
- CVE-2019-18276
-- David Fernandez Gonzalez <david.fernandezgonzalez@canonical.com> Mon, 18 Apr 2022 11:14:46 +0200
April 2022 was last package release. I'll eat my hat if a bash update is issued for focal before its EOL.
Yes we are using official images. Thanks for your reply. Will contact security@elastic.co with the CVEs reported. Their judgement would help us anwser our internal security team.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.