I've used the latest version of Elasticsearch docker image, As in image you can see the listing of JARs used, On running vulnerabilities test on image, some modules gives vulnerabilities, like jackson-dataformat-cbor-2.10.4 etc, which can be resolved by using a latest version of module like jackson-dataformat-cbor-2.11.4.
I tried replacing the JARs with the latest ones and committing but as expected that didn't work.
I just wanted to know if it is possible to do so.
Thank you.
No, modifying the JARs on which Elasticsearch depends is not supported. If you believe Elasticsearch has a security vulnerability you should report it and deploy a newer version once a fix is available. Note that vulnerabilities in underlying libraries often don't translate into vulnerabilities in the application that uses them, because the application may not be using the vulnerable feature.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
