Vulnerable Java version bundled with 8.14.3 & 8.15

Java 22.0.1 contains a HIGH vulnerability, as indicated by CVEs reported in July 2024. This version is/was bundled with ES 8.14.3.

I was expecting a version patch to be included in the next ES release, but looking at the ES Java version information on GitHub for 8.15.0, it looks like Java version 22.0.1 is still being used in the project.

Is there an intended remediation for this vulnerability or am I missing something in the repo?

From Elastic Search to Elasticsearch

Added elastic-stack-security

Thank you for your report.

Elastic's security reporting guidelines are available at Security issues | Elastic.

Per those guidelines, all reports of potential security issues or vulnerabilities should be sent via email to security@elastic.co.

We are unable to discuss potential issues of this nature here. Please send your report to the email address above, where it can be appropriately handled.

1 Like

Sure, I went ahead and sent a copy of this issue to the security email.
Can you recommend documentation to me for upgrading the JDK bundled with Elasticsearch?

You do not upgrade the bundled JDK, you need to install a separated JDK and configure the ES_JAVA_HOME environment variable to use that JDK.

This is mentioned here.

1 Like

Also as mentioned in those docs:

Security issues and bugs within the bundled JVM are treated as if they were within Elasticsearch itself.

In particular, a vulnerability in a dependency (such as the bundled JVM) may require the use of particular features in the dependency, and often you'll find that Elasticsearch doesn't use the vulnerable feature so the security issue is automatically mitigated. In contrast, upgrading individual dependencies (such as the bundled JVM) carries some risk, since you're moving into an untested configuration. In recent versions there have been JVM bugs that have cause Elasticsearch to malfunction.

2 Likes

If there was some sort of official response to the CVE discovery, that would be enough for an organization to consider the risk mitigated, I'd imagine. Otherwise, if it comes up in a vulnerability scan - it is difficult to prove to a client the software is secure.
That being said, a patch release upgrade seems low-risk for breaking functionality, i.e. 22.0.2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.