Vulnerabilities in docker image elasticsearch/elasticsearch:7.17.8

Jayasree_N · January 18, 2023, 5:44am

Hi,

we are using elasticsearch/elasticsearch:7.17.8 docker image.
We are getting few CVEs reported as high with the vulnerabilities scanning report.

CVE-2021-31684 -- nimbus-jose-jwt and json-smart
CVE-2020-36518 -- jackson-databind
CVE-2022-3509 -- protobuf-java
CVE-2021-40690 -- xmlsec
CVE-2022-43551 -- ubuntu
CVE-2022-3510 -- protobuf-java
CVE-2022-40152 -- woodstox-core
CVE-2021-37136 -- netty-codec
CVE-2022-41915 -- netty-codec-http
CVE-2020-8908 -- guava

Any suggestions how to fix these vulnerabilities ?

ikakavas · January 18, 2023, 6:06am

Thank you for your report.

Elastic's security reporting guidelines are available at Security issues | Elastic.

Per those guidelines, all reports of potential security issues or vulnerabilities should be sent via email to security@elastic.co.

We are unable to discuss potential issues of this nature here. Please send your report to the email address above, where it can be appropriately handled.

dadoonet · January 18, 2023, 7:37am

Just a note. The version you mentioned is not the latest of the 7.17 series. You should upgrade your version IMHO.

Jayasree_N · January 18, 2023, 2:19pm

@dadoonet, as per this documentation Release notes | Elasticsearch Guide [7.17] | Elastic, seems 7.17.8 is the latest release on 7.17 series. Could you please help in point me if there is any new release available for 7.17 series.

Thanks
JN

Jayasree_N · January 18, 2023, 2:20pm

@ikakavas, Thank you for the reply. I will email to security@elastic.co.

dadoonet · January 18, 2023, 2:55pm

My bad. I misread your post sorry.