Snakeyaml vulnerability (CVE-2022-1471) on latest ES version

Aviv_Nevo · March 16, 2023, 1:13pm

Hi

Need help regarding CVE-2022-1471 (snakeyaml):

Is there any fix for that in any ES version?
AFAIK, in the latest version, this package hasn't been updated.
Is there any plan to update the damaged package of snakeyaml?
Can I manually change the snakeyaml version? and how? (elasticsearch.yml maybe?)

The main reason this change is required is that we can't upload new images to GCP marketplace due to this vulnerability that is caused by ES.

DavidTurner · March 16, 2023, 3:02pm

We would rather not discuss potential security issues here. Please see this page for more information on the proper process to raise such issues:

system · April 13, 2023, 3:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
CVE-2022-1471 is not listed in Security Issues site Elasticsearch	2	569	May 15, 2023
Fixing snakeyaml vulnerability (CVE-2022-1471) on older ES versions Elasticsearch docker	6	3410	April 13, 2023
CVE-2022-1471 is not listed in Security Issues site Logstash	2	274	July 19, 2023
Which version of elasticsearch solve the CVE-2022-1471(snakeyaml need bump to 2.0 version) Kibana	2	372	April 9, 2024
CVE-2022-1471 Still Applicable in latest 7.* and 8. *, not listed on Security Issues Page Endpoint Security elastic-stack-security	4	875	October 12, 2023