Vulnerable log4j libraries in ElasticSearch image

allegroai / clearml-server

ClearML - Auto-Magical CI/CD to streamline your AI workload. Experiment Management, Data Management, Pipeline, Orchestration, Scheduling & Serving in one MLOps/LLMOps solution

https://clear.ml/docs

Other

364 stars 132 forks source link

Vulnerable log4j libraries in ElasticSearch image #183

Closed lions1988 closed 11 months ago

lions1988 commented 1 year ago

Nessus scanners identified vulnerable log4j libraries in ES image

ClearML server version: 1.9.2 (latest) ES image: 7.16.2

Path : /usr/share/elasticsearch/lib/elasticsearch-log4j-7.16.2.jar Installed version : 2.17.0 Fixed version : 2.17.1

Path : /usr/share/elasticsearch/bin/elasticsearch-sql-cli-7.16.2.jar Installed version : 2.17.0 Fixed version : 2.17.1

Nessus plugin: https://www.tenable.com/plugins/nessus/156327

I can confirm nessus scans are clean within latest ES 7.* (7.17.19)

ainoam commented 1 year ago

Thanks for reporting @lions1988, next version should have updated dependencies.

oren-allegro commented 1 year ago

Hi @lions1988,

Just updating that the next version is going to be released with ES 7.17.7 - which should eliminate these issues. If you are aware of issues in that version, we would be happy to hear, so we can verify these are mitigated by the application.

pollfly commented 1 year ago

Hey @lions1988! v1.10 is now out with ES 7.17.7

AH-Merii commented 1 year ago

Hey @lions1988! v1.10 is now out with ES 7.17.7

Congrats on the release, I look forward to testing it and rolling it out.

Just a small comment;

There is a typo in the current changelog for clearml-server version 1.10 the changelog references elasticsearch version 1.17.7 instead of 7.17.7

jkhenning commented 1 year ago

Thanks @AH-Merii! Fixed 🙂