CVE-2022-46364 | GHSA-x3x3-qwjq-8gj4 Security Issue on SearchGuard

arthurpapanyan · February 7, 2023, 5:07pm

Our security scanner reports these packages as vulnerable. With Critical Severity. these packages are used by searchguard.
Package: search-guard-7/cxf-*

./elasticsearch/plugins/search-guard-7/cxf-rt-security-3.3.11.jar
./elasticsearch/plugins/search-guard-7/cxf-rt-rs-security-jose-3.3.11.jar
./elasticsearch/plugins/search-guard-7/cxf-rt-rs-json-basic-3.3.11.jar
./elasticsearch/plugins/search-guard-7/cxf-core-3.3.11.jar
./elasticsearch/plugins/search-guard-7/cxf-core-3.3.11.jar

CVE Links:

CVE-2022-46364
NVD - CVE-2022-46364

Affected Versions: up to 3.5.5

could you please provide the status of these findings, or information about mitigation/remediation

Thank you!

nils · February 20, 2023, 4:29pm

Search Guard is not affected by this CVE, as it does not use the code parts of CXF which contain the issue. Still, we will release a new version of SG FLX which will contain a new version of CXF within the next few days.

system · March 13, 2023, 4:29pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Vulnerability detected on Search-guard -7 Search Guard	9	67	October 1, 2024
Apache CXF < 3.5.8, 3.6.x < 3.6.3, 4.0.x < 4.0.4 SSRF Vulnerability on SearchGuard plugins Search Guard	3	265	September 10, 2024
Search Guard for Elasticsearch 6.8.21 CVE-2021-44228 Search Guard	1	772	January 4, 2022
Update on the Log4J2 RCE Vulnerability - CVE-2021-44228 Announcements	2	1344	December 28, 2021
Log4Shell: Search Guard for Elasticsearch 7.16.1 released Announcements	1	977	December 28, 2021

CVE-2022-46364 | GHSA-x3x3-qwjq-8gj4 Security Issue on SearchGuard

Related Topics