Spring4Shell ::Spring Framework Remote Code Execution Vulnerability

Sagarika_Mahalik · April 14, 2022, 7:07am

Hello,

We are using Elasticsearch 7.16.3 and Elasticsearch 7.15.1.

Can you let us know which java version both the Elasticsearch versions are using?
Please let us know, whether ES is affected any way by the reported spring shell vulnerability.

Please suggest, whether we need to take any steps from our end for mitigating the same

dadoonet · April 14, 2022, 7:56am

It's printed in the logs
No.

Sagarika_Mahalik · April 14, 2022, 4:10pm

whether ES is affected any way by the reported spring shell vulnerability:
Can I get an explanation for that why it is not affected?

Sagarika_Mahalik · April 14, 2022, 4:24pm

I checked the java version we are using for ES 7.16.3 is Java 17. Also, we use Elasticsearch-rest-client, Elasticsearch-rest-high-level-client and spring data too. Will these affected by the Spring4Shell ::Spring Framework Remote Code Execution Vulnerability?

dadoonet · April 15, 2022, 12:20pm

Elasticsearch does not use Spring. So it can't be affected by it.

If you are using Spring, then, that's another story but this is something you should check on the Spring forums IMO.

system · May 13, 2022, 12:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Spring4Shell ::Spring Framework Remote Code Execution Vulnerability Elasticsearch	6	4027	May 3, 2022
Spring4Shell ::Spring Framework Remote Code Execution Vulnerability Elasticsearch	2	180	May 24, 2022
Are any of Elastic's products affected by CVE-2022-22965? Elastic Security	4	940	May 13, 2022
Spring4Shell ::Spring Framework Remote Code Execution Vulnerability for eck operator Elasticsearch docker	1	210	May 12, 2022
Spring data and elasticsearch (6+) release confusion Elasticsearch	6	3440	September 18, 2018

Spring4Shell ::Spring Framework Remote Code Execution Vulnerability

Related topics