Hi,
My team recently deployed Elasticsearch v 8.2.0 into an HPE Ezmeral Container Platform (kubernetes based) using ECK.
Everything is working. However, this platform run a Vulnerability scan on new containers and detected many High and Critical vulnerabilities. Many of them related to log4j issue that Elastic already addressed.
Could these vulnerabilities be false positives? Any other ideas?
Image Tag: docker.elastic.co/elasticsearch/elasticsearch:8.2.0
Sample list of vulnerabilities:
- "CRITICAL Vulnerability found in non-os package type (java) - /usr/share/Elasticsearch/modules/repository-gcs/log4j-1.2-api-2.17.1.jar (CVE-2022-23305 - NVD - CVE-2022-23305)"
- "CRITICAL Vulnerability found in non-os package type (java) - /usr/share/Elasticsearch/modules/repository-gcs/log4j-1.2-api-2.17.1.jar (CVE-2019-17571 - NVD - CVE-2019-17571)"
- "CRITICAL Vulnerability found in non-os package type (java) - /usr/share/Elasticsearch/modules/repository-s3/log4j-1.2-api-2.17.1.jar (CVE-2020-9493 - NVD - CVE-2020-9493)"
Thanks,
Jorge