Hello,
We are using Elasticsearch 6.3.2 & 6.8.23
Please let us know, whether ES is using spring boot war and whether Elasticsearch is impacted any way by the reported spring shell vulnerability.
Please suggest, whether we need to take any steps from our end for mitigating the same
ES does not use Spring Boot.
We are using Elasticsearch 6.3.2
You should really upgrade this version.
Elasticsearch 6.3 is EOL and no longer supported. Please upgrade ASAP.
(This is an automated response from your friendly Elastic bot. Please report this post if you have any suggestions or concerns 
)
Thanks 
Will there be any official statement from Elastic concerning Spring4Shell or is it not needed because ES doesn't use spring at all?
Please consider the marked solution as the official stance on this.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.