Spring4Shell ::Spring Framework Remote Code Execution Vulnerability


We are using Elasticsearch 6.3.2 & 6.8.23

Please let us know, whether ES is using spring boot war and whether Elasticsearch is impacted any way by the reported spring shell vulnerability.

Please suggest, whether we need to take any steps from our end for mitigating the same

ES does not use Spring Boot.

We are using Elasticsearch 6.3.2

You should really upgrade this version.

1 Like

Elasticsearch 6.3 is EOL and no longer supported. Please upgrade ASAP.

(This is an automated response from your friendly Elastic bot. Please report this post if you have any suggestions or concerns :elasticheart: )

Thanks :slight_smile:

Will there be any official statement from Elastic concerning Spring4Shell or is it not needed because ES doesn't use spring at all?


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Please consider the marked solution as the official stance on this.