Spring4Shell ::Spring Framework Remote Code Execution Vulnerability

Vishnu_Vijay · March 31, 2022, 5:09pm

Hello,

We are using Elasticsearch 6.3.2 & 6.8.23

Please let us know, whether ES is using spring boot war and whether Elasticsearch is impacted any way by the reported spring shell vulnerability.

Please suggest, whether we need to take any steps from our end for mitigating the same

dadoonet · March 31, 2022, 5:24pm

ES does not use Spring Boot.

We are using Elasticsearch 6.3.2

You should really upgrade this version.

system · March 31, 2022, 5:24pm

Elasticsearch 6.3 is EOL and no longer supported. Please upgrade ASAP.

(This is an automated response from your friendly Elastic bot. Please report this post if you have any suggestions or concerns )

Vishnu_Vijay · April 1, 2022, 7:39am

Thanks

Ossenfeld · April 1, 2022, 8:26am

Will there be any official statement from Elastic concerning Spring4Shell or is it not needed because ES doesn't use spring at all?

system · April 29, 2022, 8:26am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

warkolm · May 3, 2022, 11:55pm

Please consider the marked solution as the official stance on this.

Topic		Replies	Views
Spring4Shell ::Spring Framework Remote Code Execution Vulnerability Elasticsearch	5	369	May 13, 2022
Spring4Shell ::Spring Framework Remote Code Execution Vulnerability Elasticsearch	2	180	May 24, 2022
Are any of Elastic's products affected by CVE-2022-22965? Elastic Security	4	940	May 13, 2022
Spring Boot Starter connecting to ES 6.2.3 Elasticsearch	1	1982	May 4, 2018
Spring4Shell ::Spring Framework Remote Code Execution Vulnerability for eck operator Elasticsearch docker	1	210	May 12, 2022