Hi,
I see that the latest update of Elasticsearch 7.17.28 have still vulnerability CVE-2024-45772 which affects Apache Lucene from 4.4.0 before 9.12.0. That mean's ES should update Lucene to 9.12.0 at least.
Do we know about any mitigation plan?
As I can see Apache Lucene 8 is not supported anymore.
Upgrade to Elasticsearch 8.17, which uses Lucene 9.12.
I'd love to but due to some other limitations we cannot do this at this point.
Elasticsearch major versions are typically aligned with major Lucene versions, so I do not think Elasticsearch 7.17.28 will/can be upgraded in this respect.
Why are you not able to upgrade to Elasticsearch 8.17?
Unfortunately we can't engage in conversations about security vulnerabilities in public. Please use the process described at this page instead.
1 Like