search

elastic / elasticsearch

Free and Open, Distributed, RESTful Search Engine
https://www.elastic.co/products/elasticsearch
Other
68.54k stars 24.35k forks source link

Update dependency jars in docker image #107085

Closed tomaskodaj closed 3 months ago

tomaskodaj commented 3 months ago

Description

Please would it be possible to bump java libs in next planned patch of 7.17?

Specifically: xmlsec-2.1.4.jar to 2.1.8+ nimbus-jose-jwt-9.23.jar to 9.37.3+ json-smart-2.4.10.jar to 2.4.11+ httpcore-4.4.12.jar / httpcore-nio-4.4.12.jar to 4.4.16+

Those used dependencies shows some CVEs findings in trivy free scanner...

We are rebuilding image with this docker file right now..

Thanks

FROM docker.elastic.co/elasticsearch/elasticsearch:7.17.19

#security update of OS
RUN apt-get -y update && apt-get -y upgrade && apt-get -y clean

RUN rm  \
        /usr/share/elasticsearch/modules/x-pack-identity-provider/xmlsec-2.1.4.jar \
        /usr/share/elasticsearch/modules/x-pack-security/json-smart-2.4.10.jar \
        /usr/share/elasticsearch/modules/x-pack-security/nimbus-jose-jwt-9.23.jar \
        /usr/share/elasticsearch/modules/x-pack-security/xmlsec-2.1.4.jar \
        /usr/share/elasticsearch/modules/ingest-common/httpcore-4.4.12.jar \
        /usr/share/elasticsearch/modules/repository-url/httpcore-4.4.12.jar \
        /usr/share/elasticsearch/modules/kibana/httpcore-nio-4.4.12.jar \
        /usr/share/elasticsearch/modules/kibana/httpcore-4.4.12.jar \
        /usr/share/elasticsearch/modules/reindex/httpcore-nio-4.4.12.jar \
        /usr/share/elasticsearch/modules/reindex/httpcore-4.4.12.jar \
        /usr/share/elasticsearch/modules/x-pack-core/httpcore-nio-4.4.12.jar \
        /usr/share/elasticsearch/modules/x-pack-core/httpcore-4.4.12.jar

COPY jars/xmlsec-2.1.8.jar /usr/share/elasticsearch/modules/x-pack-identity-provider
COPY jars/xmlsec-2.1.8.jar jars/json-smart-2.4.11.jar jars/nimbus-jose-jwt-9.37.3.jar /usr/share/elasticsearch/modules/x-pack-security
COPY jars/httpcore-4.4.16.jar /usr/share/elasticsearch/modules/ingest-common
COPY jars/httpcore-4.4.16.jar /usr/share/elasticsearch/modules/repository-url
COPY jars/httpcore-nio-4.4.16.jar jars/httpcore-4.4.16.jar /usr/share/elasticsearch/modules/kibana
COPY jars/httpcore-nio-4.4.16.jar jars/httpcore-4.4.16.jar /usr/share/elasticsearch/modules/reindex
COPY jars/httpcore-nio-4.4.16.jar jars/httpcore-4.4.16.jar /usr/share/elasticsearch/modules/x-pack-core
elasticsearchmachine commented 3 months ago

Pinging @elastic/es-delivery (Team:Delivery)

elasticsearchmachine commented 3 months ago

Pinging @elastic/es-security (Team:Security)

mark-vieira commented 3 months ago

@jakelandis do we need to bump some dependencies in 7.17?

jakelandis commented 3 months ago

We run scans internally and have evaluated all of these and they have all been mitigated or evaluated that we are not vulnerable. If you have a support contract we can provide our official statements on the related CVE's via the support portal (and there should be a self service search by CVE).

I am going to close this issue, but ping me if you have any follow up comments.