we are currently using elasticsearch 7.17.26 in our client side and 7.17.24 in servers . we received a notification about CVE-2024-52980 in elasticsearch
what is the fix for this CVE for 7.x versions
we only see that it is mentioned that fix is avaialbe in 8.15 versions
since all our instances are in production grade we cannot upgrade them immediately . isnt there a security patch for elasticsearch 7.x versions
Welcome!
Thank you for your report.
Elastic's security reporting guidelines are available at Security issues | Elastic.
Per those guidelines, all reports of potential security issues or vulnerabilities should be sent via email to security@elastic.co.
We are unable to discuss potential issues of this nature here. Please send your report to the email address above, where it can be appropriately handled.
Although @dadoonet is right, we can't discuss the details of security vulnerabilities here, it is worth noting that the 7.x series has now passed the end of its maintenance term and will have no more releases. You must upgrade to 8.x to pick up any future improvements (whether security-related or otherwise).
2 Likes
Thank you @DavidTurner
Asking this Just to understand for future cases. the vulnerability was filed on 8th April which is 7 days before End of maintainence of 7.17.x version. Will there still be no security patch for this
End of maintainence mentioned as 15th April as per the above link
Yes, the end of maintenance is the point at which we stop producing releases, not the point at which we stop accepting new bug reports.
2 Likes