Dear,

I noticed that the elastic apm agent relies on wiremock 2.35.0 as test dependency (https://mvnrepository.com/artifact/com.github.tomakehurst/wiremock-jre8-standalone/2.35.0) which is vulnerable to CVE-2023-41329

Can you please bump this version to 2.35.1 ( https://mvnrepository.com/artifact/com.github.tomakehurst/wiremock-jre8-standalone/2.35.1 ) which contains the fix. This was released back 6th of september 23.

I read about your https://www.elastic.co/community/security stuff but I find it too much hassle to actually report a security issue at your side hence I use github.

Kr,

Thanks for reporting this.
I'll take a look to see if we can upgrade it just to prevent further reports, but I don't think this is very high priority as it's a test library.

Security vulnerabilities should be reported to security@elastic.co as stated in https://www.elastic.co/community/security that you have read. One of the main reasons for doing so is that it provides some time to investigate and fix any serious security issue BEFORE it has been publicly disclosed.

Sorry if it looks like a rant, but reporting publicly first just adds extra pressure to the people in charge of maintaining the code and also transitively to all the users of the affected software component. While it might take us a few days to release a patched version it is not uncommon to see users with long release and deployment cycles, which could leave an open and documented security vulnerability ready for use in the field in their applications.
On the other end, just reporting it first allows to properly prioritize and coordinate those security issues to minimize exposure in the end-users applications that might be impacted.

Here Wiremock is just used as a test dependency which is not shipped within our product, we don't even use the proxy/recording feature of the library, thus this vulnerability very likely does not affects us.

Thanks for reporting this. I'll take a look to see if we can upgrade it just to prevent further reports, but I don't think this is very high priority as it's a test library.

Security vulnerabilities should be reported to security@elastic.co as stated in https://www.elastic.co/community/security that you have read. One of the main reasons for doing so is that it provides some time to investigate and fix any serious security issue BEFORE it has been publicly disclosed.

Sorry if it looks like a rant, but reporting publicly first just adds extra pressure to the people in charge of maintaining the code and also transitively to all the users of the affected software component. While it might take us a few days to release a patched version it is not uncommon to see users with long release and deployment cycles, which could leave an open and documented security vulnerability ready for use in the field in their applications. On the other end, just reporting it first allows to properly prioritize and coordinate those security issues to minimize exposure in the end-users applications that might be impacted.

Here Wiremock is just used as a test dependency which is not shipped within our product, we don't even use the proxy/recording feature of the library, thus this vulnerability very likely does not affects us.

I understand your rant, however this CVE was already publicly disclosed due to automated scanners on eg. mvnrepository.org. I argue that it was already publicly disclosed.

Nonetheless I thank you for fixing the issue within 3 days.