A scan is turning up a CVE for this:
CRITICAL Vulnerability found in non-os package type (java) - /elastic-apm-agent-1.21.0.jar:slf4j-api (CVE-2018-8088 - https://nvd.nist.gov/vuln/detail/CVE-2018-8088)
This showed up in an earlier version, too (1.17.0). 1.21.0 is the latest and still has this?
Hi and thanks a lot for the report.
For security reports, please don't report them in the forum but stick to the process laid out in Free and Open Search: The Creators of Elasticsearch, ELK & Kibana | Elastic.
For this particular case it seems like a false positive.
The CVE is about the slf4j-ext module which the agent does not use. We only use slf4j-api which does not contain the vulnerable org.slf4j.ext.EventData class.
Nevertheless, I'll update the slf4j version and make sure we'll stay up to date with new versions: Update slf4j and add to dependabot allow list by felixbarny · Pull Request #1669 · elastic/apm-agent-java · GitHub
Oh, thank you. I did not realize there was a separate process for this. In any case, this was Anchore finding this, if that helps at all. Forgot to mention that in original question.
Cheers.
This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.