Some vulnerabilities in Elasticsearch v7.10.0

There are few vulnerabilities coming from Elasticsearch 7.10.0
Can you have a look into these issues? Are they false positive issues? If not how can we mitigate these issues?

NVD - CVE-2021-22147

NVD - CVE-2021-22145

NVD - CVE-2021-22144

NVD - CVE-2021-22134

NVD - CVE-2021-22132

NVD - CVE-2021-22135

The reports indicate that newer versions of Elasticsearch are unaffected so the recommendation is to upgrade.

Note that these vulnerabilities apply to the security implementation that is available with the default distribution of Elasticsearch. As the OSS distribution, which was available up until version 7.10, does not come with any security at all these do not apply. Not having security at all is naturally a huge security issue, but cot necessarily captured by CVEs.

If you are using the OSS version with some 3rd party plugin (e.g. OpenDistro) for security you instead need to check whether that plugin have a CNA and any separate open CVEs. If there is no CNA or no open CVEs, you security scanner may not report any errors but this does not necessarily mean there are no security vulnerabilities, just that none has officially been reported.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.