Skip to content

efk addon image contains Log4j CVEs #15280

New issue
New issue
Open
Open
efk addon image contains Log4j CVEs#15280
Labels
addon/efkIssues with EFK addonarea/addonskind/securitysecurity issueslifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.priority/important-soonMust be staffed and worked on either currently, or very soon, ideally in time for the next release.
@spowelljr

Description

@spowelljr
spowelljr
opened on Nov 3, 2022

The efk addon contains the image k8s.gcr.io/elasticsearch:v5.6.2@sha256:7e95b32a7a2aad0c0db5c881e4a1ce8b7e53236144ae9d9cfb5fbe5608af4ab2

This image contains Log4j CVEs

  ✗ Remote Code Execution (RCE) [Critical Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720] in org.apache.logging.log4j:[email protected]
    introduced by org.apache.logging.log4j:[email protected]
  ✗ Remote Code Execution (RCE) [Critical Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014] in org.apache.logging.log4j:[email protected]
    introduced by org.apache.logging.log4j:[email protected]

If you are using the addon we recommend you run minikube addons disable efk to terminate the vulnerable pod.
If you are not using the efk addon you are not vulnerable.

Metadata

Metadata

Assignees

No one assigned

    Labels

    addon/efkIssues with EFK addonarea/addonskind/securitysecurity issueslifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.priority/important-soonMust be staffed and worked on either currently, or very soon, ideally in time for the next release.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions