Way to change the version of JARs used in Elasticsearch

I've used the latest version of Elasticsearch docker image, As in image you can see the listing of JARs used, On running vulnerabilities test on image, some modules gives vulnerabilities, like jackson-dataformat-cbor-2.10.4 etc, which can be resolved by using a latest version of module like jackson-dataformat-cbor-2.11.4.
I tried replacing the JARs with the latest ones and committing but as expected that didn't work.
I just wanted to know if it is possible to do so.

Thank you.

2 Likes

No, modifying the JARs on which Elasticsearch depends is not supported. If you believe Elasticsearch has a security vulnerability you should report it and deploy a newer version once a fix is available. Note that vulnerabilities in underlying libraries often don't translate into vulnerabilities in the application that uses them, because the application may not be using the vulnerable feature.

4 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.