A scan is turning up a CVE for this:
CRITICAL Vulnerability found in non-os package type (java) - /elastic-apm-agent-1.21.0.jar:slf4j-api (CVE-2018-8088 - https://nvd.nist.gov/vuln/detail/CVE-2018-8088)
This showed up in an earlier version, too (1.17.0). 1.21.0 is the latest and still has this?
Hi and thanks a lot for the report.
For security reports, please don't report them in the forum but stick to the process laid out in Free and Open Search: The Creators of Elasticsearch, ELK & Kibana | Elastic.
For this particular case it seems like a false positive.
The CVE is about the slf4j-ext module which the agent does not use. We only use slf4j-api which does not contain the vulnerable org.slf4j.ext.EventData class.
Nevertheless, I'll update the slf4j version and make sure we'll stay up to date with new versions: Update slf4j and add to dependabot allow list by felixbarny · Pull Request #1669 · elastic/apm-agent-java · GitHub
Oh, thank you. I did not realize there was a separate process for this. In any case, this was Anchore finding this, if that helps at all. Forgot to mention that in original question.
Cheers.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.