Erronous scan of Log4J vulnerability in elasticsearch:7.16.1 (and maybe others)

The dockerhub page shows that the 7.16.1 elasticsearch version is free of the vulnerability known as “Log4Shell” (CVE-2021-44228 or CVE-2021-45046) but it actually isn’t.
It has the previously mentioned vulnerability as it uses versions 2.11.1 for both its core and api. As said in the corresponding blog, " The vulnerable versions of Log4j 2 are versions 2.0 to version 2.14.1 inclusive".

Interesting. I checked if the reason is that somehow the issue in that image is not detectable, but Trivy (one of the Docker Desktop extenions) can detect it.

Since you discovered it, would you report it in the Hub Feedback repository on GitHub?

The Hub Feedback’s “readme” says you should not report secuity issues there, but this is not a security issue of Docker Hub, it is just scanning

1 Like