Vulnerabilities in latest docker image of Elasticsearch 8.3.1

Hi,

We are using Elasticsearch 8.3.1 for one of our projects.
While scanning the Elasticsearch 8.3.1 with Aquasec Scanner, we are getting a few CVEs:

These CVE are associated with various Java based packages which have high vulnerabilities associated:
CVE-2021-40690 xmlsec 2.1.4
CVE-2020-36518 jackson-databind 2.13.2
CVE-2020-36518 jackson-databind 2.13.1
CVE-2021-31684 json-smart 1.3.2

I even tried pulling the latest image which is 8.3.2 at the time of writing this which yields the same results.

How are xmlsec, jackson-databind, json-smart being used in Elasticsearch.
Would it be possible to update the packages in Elasticsearch?

Edit: Our datahub deployment failed with Elasticsearch 8.3.1. We are forced to use 7.16.2 as datahub isn't compatible with versions after that. Is it possible to release a version/bugfix with these vulnerability resolutions:
CVE Package Fixed Version Published by NVD
CVE-2020-25649 jackson-databind 2.10.4 2.10.5.1 2020-12-03
CVE-2020-36518 jackson-databind 2.10.4 2.12.6.1 2022-03-11
CVE-2021-37136 netty-codec 4.1.66.Final 4.1.68.Final 2021-10-19
CVE-2021-37137 netty-codec 4.1.66.Final 4.1.68.Final 2021-10-19
CVE-2021-31684 json-smart 1.3.2 2.4.5 2021-06-01
CVE-2021-40690 xmlsec 2.1.4 2.1.7 2021-09-19
CVE-2020-28491 jackson-dataformat-cbor 2.10.4 2.11.4 2021-02-18

Thanks and regards
Chitransh Teotia

1 Like

Please see Security issues | Elastic;

Users and customers may report any other potential security issues to security@elastic.co. This address can be used for product security related inquiries or requests about other security topics that are not explicitly mentioned here.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.