Java 22.0.1 contains a HIGH vulnerability, as indicated by CVEs reported in July 2024. This version is/was bundled with ES 8.14.3.
I was expecting a version patch to be included in the next ES release, but looking at the ES Java version information on GitHub for 8.15.0, it looks like Java version 22.0.1 is still being used in the project.
Is there an intended remediation for this vulnerability or am I missing something in the repo?
Per those guidelines, all reports of potential security issues or vulnerabilities should be sent via email to security@elastic.co.
We are unable to discuss potential issues of this nature here. Please send your report to the email address above, where it can be appropriately handled.
Sure, I went ahead and sent a copy of this issue to the security email.
Can you recommend documentation to me for upgrading the JDK bundled with Elasticsearch?
Security issues and bugs within the bundled JVM are treated as if they were within Elasticsearch itself.
In particular, a vulnerability in a dependency (such as the bundled JVM) may require the use of particular features in the dependency, and often you'll find that Elasticsearch doesn't use the vulnerable feature so the security issue is automatically mitigated. In contrast, upgrading individual dependencies (such as the bundled JVM) carries some risk, since you're moving into an untested configuration. In recent versions there have been JVM bugs that have cause Elasticsearch to malfunction.
If there was some sort of official response to the CVE discovery, that would be enough for an organization to consider the risk mitigated, I'd imagine. Otherwise, if it comes up in a vulnerability scan - it is difficult to prove to a client the software is secure.
That being said, a patch release upgrade seems low-risk for breaking functionality, i.e. 22.0.2
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.