We are using Elasticsearch 8.3.1 for one of our projects.
While scanning the Elasticsearch 8.3.1 with Aquasec Scanner, we are getting a few CVEs:
These CVE are associated with various Java based packages which have high vulnerabilities associated:
CVE-2021-40690 xmlsec 2.1.4
CVE-2020-36518 jackson-databind 2.13.2
CVE-2020-36518 jackson-databind 2.13.1
CVE-2021-31684 json-smart 1.3.2
I even tried pulling the latest image which is 8.3.2 at the time of writing this which yields the same results.
How are xmlsec, jackson-databind, json-smart being used in Elasticsearch.
Would it be possible to update the packages in Elasticsearch?
Edit: Our datahub deployment failed with Elasticsearch 8.3.1. We are forced to use 7.16.2 as datahub isn't compatible with versions after that. Is it possible to release a version/bugfix with these vulnerability resolutions:
CVE Package Fixed Version Published by NVD
CVE-2020-25649 jackson-databind 2.10.4 126.96.36.199 2020-12-03
CVE-2020-36518 jackson-databind 2.10.4 188.8.131.52 2022-03-11
CVE-2021-37136 netty-codec 4.1.66.Final 4.1.68.Final 2021-10-19
CVE-2021-37137 netty-codec 4.1.66.Final 4.1.68.Final 2021-10-19
CVE-2021-31684 json-smart 1.3.2 2.4.5 2021-06-01
CVE-2021-40690 xmlsec 2.1.4 2.1.7 2021-09-19
CVE-2020-28491 jackson-dataformat-cbor 2.10.4 2.11.4 2021-02-18
Thanks and regards