Vulnerabilities in readonlyrest-1.40.0_es7.16.3

#1

Hi,

As per NVD, the Bouncy Castle1.0.1 and elasticsearch-rest-high-level-client-7.16.3 present in readonlyrest-1.40.0_es7.16.3.zip are vulnerable.

CVE numbers are as follows:

  1. CVE-2007-6721
  2. CVE-2020-26939
  3. CVE-2016-1000338
  4. CVE-2016-1000343
  5. CVE-2016-1000341
  6. CVE-2017-13098
  7. CVE-2020-15522
  8. CVE-2016-1000342
  9. CVE-2016-1000345
  10. CVE-2016-1000352
  11. CVE-2016-1000339
  12. CVE-2016-1000344
  13. CVE-2018-5382
  14. CVE-2016-1000346
  15. CVE-2018-1000180
  16. CVE-2013-1624
  17. CVE-2022-23710
  18. CVE-2022-23708

Please have a look into this.

1 Like
#2

We are currently looking into this, thanks for the post. @coutoPL please update this thread when you have news.

#3

I cannot confirm it.
We use:
https://mvnrepository.com/artifact/org.bouncycastle/bctls-fips/1.0.12.3 (no CVE)
https://mvnrepository.com/artifact/org.elasticsearch.client/elasticsearch-rest-client/7.16.3 but with https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient/4.5.13 (fixes CVE-2020-13956)

We have a CVE-check in our pipeline and it doesn’t detect anything in ROR 1.40.0 (any ES version).

@Sagarika How did you check this?

1 Like
#4

We use blackduck tool which shows these vulnerabilities

#5

I see there are two bouncy castle jars bc-fips-1.0.2.3 and bctls-fips-1.0.12.3 present in ROR 1.40. I think those has some issues.

#6

yes, ROR uses these two BouncyCastle jars. None of them have known CVEs.
In our project, we use OWASP Dependency-Check | OWASP Foundation to make sure our dependencies have no CVEs. Obviously, I checked these two manually to make sure that the reported CVEs are false positives. Maybe you should contact Blackduck creators and report the issue (false positive reports).

But thanks for raising the flag. CVEs are an important topic in security software, so we always double-check if someone has doubts. :ok_hand:

2 Likes