CRITICAL Vulnerability found in non-os package type (java) - /elastic-apm-agent-1.21.0.jar:slf4j-api (CVE-2018-8088 - https://nvd.nist.gov/vuln/detail/CVE-2018-8088)
This showed up in an earlier version, too (1.17.0). 1.21.0 is the latest and still has this?
For this particular case it seems like a false positive.
The CVE is about the slf4j-ext module which the agent does not use. We only use slf4j-api which does not contain the vulnerable org.slf4j.ext.EventData class.
Oh, thank you. I did not realize there was a separate process for this. In any case, this was Anchore finding this, if that helps at all. Forgot to mention that in original question.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.