Spring4Shell ::Spring Framework Remote Code Execution Vulnerability

Vishnu_Vijay · March 31, 2022, 5:09pm

Hello,

We are using Elasticsearch 6.3.2 & 6.8.23

Please let us know, whether ES is using spring boot war and whether Elasticsearch is impacted any way by the reported spring shell vulnerability.

Please suggest, whether we need to take any steps from our end for mitigating the same

dadoonet · March 31, 2022, 5:24pm

ES does not use Spring Boot.

We are using Elasticsearch 6.3.2

You should really upgrade this version.

system · March 31, 2022, 5:24pm

Elasticsearch 6.3 is EOL and no longer supported. Please upgrade ASAP.

(This is an automated response from your friendly Elastic bot. Please report this post if you have any suggestions or concerns )

Vishnu_Vijay · April 1, 2022, 7:39am

Thanks

Ossenfeld · April 1, 2022, 8:26am

Will there be any official statement from Elastic concerning Spring4Shell or is it not needed because ES doesn't use spring at all?

system · April 29, 2022, 8:26am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

warkolm · May 3, 2022, 11:55pm

Please consider the marked solution as the official stance on this.

Topic		Replies	Views
Spring + ES 8 server, can't make it compatible Elasticsearch docker , language-clients	1	1283	October 14, 2022
Elasticsearch AbstractElasticsearchRepository. e:Request processing failed; nested exception is org.springframework.dao.DataAccessResourceFailureException: Timeout connecting to [elasticsearch. Timeout connecting to Springboot Application Error Elasticsearch	8	1342	February 27, 2023
Does Log4j vulnerability (CVE-2021-44228) is impacted for ES v7.5.2? Elasticsearch	2	1268	January 17, 2022
Bitbucket and Elastic security question! Elasticsearch	4	1060	March 11, 2022
DockerHub showing Log4Shell vulnerability on supported version Elasticsearch docker	2	1117	January 17, 2022