Hi @DeBruyne2020,
Welcome! I suggest looking at the security announcement here for the details. It states that in general, Elasticsearch does not use Snakeyaml to parse YAML, but does note that it was removed as a direct dependency in v8.3.0 and the transitive dependency was upgraded to snakeyaml 2.0 in v8.8.0:
In 8.3.0 and onwards, snakeyaml has been removed as a direct dependency in "Remove direct snakeyaml dependency from launcher tools" and switched to using X-Content , which is backed by jackson-dataformats-text . Snakeyaml is bundled in Elasticsearch only as a transitive dependency of jackson-dataformats-text but jackson-dataformats-text does not use snakeyaml for YAML parsing either, but uses other parts of the library in a supportive fashion. The developers of jackson-dataformats-text attest that their YAML parsing is not in any way affected by CVE-2022-1471.
In 8.8.0 and onwards, this transitive snakeyaml dependency has nevertheless been upgraded to 2.0, as part of Elastic standard maintenance efforts.
Hope that helps!