[FOLIO-3535] Upgrade bitnami/elasticsearch:7.10.2 Created: 06/Jul/22  Updated: 18/Jan/24

Status: Open
Project: FOLIO
Components: Continuous Integration
Affects versions: None
Fix versions: None

Type: Task Priority: P2
Reporter: Julian Ladisch Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: reviewed, security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Relates
relates to MSEARCH-357 OpenSearch fixing Elasticsearch XSS, ... Closed
Sprint: Kitfox: sprint 146, DevOps Requests, Kitfox: sprint 165, Kitfox: sprint 145, Kitfox: sprint 148
Story Points: 2
Development Team: FOLIO DevOps

 Description   

https://github.com/folio-org/folio-ansible/blob/2f835c17933ebf9529038d121f9b73237a57c94c/roles/elasticsearch/defaults/main.yml

sets

elasticsearch_version: 7.10.2
elasticsearch_image: docker.io/bitnami/elasticsearch

The version 7.10 has reached end of life on 2022-05-11: https://www.elastic.co/support/eol

Docker Hub reports that the container has the Log4Shell vulnerability: https://hub.docker.com/layers/elasticsearch/bitnami/elasticsearch/7.10.2/images/sha256-73128f92f1d370b782a32928c569772bd7563d54b39b0a11d27269ae4494c593?context=explore

Snyk reports that the container has many vulnerable packages, the most severe issues are

elasticsearch 7.10 is the last version under Apache 2.0 license. Later versions have a proprietary license.

The mod-search module has switched the server used to test against from elasticsearch to the fork opensearch that remains under Apache 2.0 license ( MSEARCH-357 Closed ): https://github.com/folio-org/mod-search/blob/eda45253d6cc7eb42b968ce0a8fe0193ed967b52/docker/opensearch/Dockerfile



 Comments   
Comment by Craig McNally [ 07/Jul/22 ]

Taras Spashchenko / oleksandr_haimanov the Security team wanted to make sure this was on the Kitfox radar. If it can't be done in this sprint, that's OK, but it should be done soon

Comment by Julian Ladisch [ 09/Sep/22 ]

As of today this is the list of search engines versions that the vendors endorse for production use:

  • Elasticsearch 7.17.6
  • Elasticsearch 8.4.1
  • OpenSearch 1.3.5
  • OpenSearch 2.2.1

For details see

Comment by Julian Ladisch [ 16/Sep/22 ]

Volodymyr Kartsev wrote:

We discussed with the team https://folio-org.atlassian.net/browse/FOLIO-3535 and it looks like responsibilities of Snapshot envs and pipelines is not in scope of responsibilities of Kitfox team.
Please, discuss it with your team and assign the ticket to appropriate member.

Generated at Thu Feb 08 23:28:51 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.