Update dependency jars in docker image

[tomaskodaj]

Description

Please would it be possible to bump java libs in next planned patch of 7.17?

Specifically:
xmlsec-2.1.4.jar to 2.1.8+
nimbus-jose-jwt-9.23.jar to 9.37.3+
json-smart-2.4.10.jar to 2.4.11+
httpcore-4.4.12.jar / httpcore-nio-4.4.12.jar to 4.4.16+

Those used dependencies shows some CVEs findings in trivy free scanner...

We are rebuilding image with this docker file right now..

Thanks

FROM docker.elastic.co/elasticsearch/elasticsearch:7.17.19

#security update of OS
RUN apt-get -y update && apt-get -y upgrade && apt-get -y clean


RUN rm  \
        /usr/share/elasticsearch/modules/x-pack-identity-provider/xmlsec-2.1.4.jar \
        /usr/share/elasticsearch/modules/x-pack-security/json-smart-2.4.10.jar \
        /usr/share/elasticsearch/modules/x-pack-security/nimbus-jose-jwt-9.23.jar \
        /usr/share/elasticsearch/modules/x-pack-security/xmlsec-2.1.4.jar \
        /usr/share/elasticsearch/modules/ingest-common/httpcore-4.4.12.jar \
        /usr/share/elasticsearch/modules/repository-url/httpcore-4.4.12.jar \
        /usr/share/elasticsearch/modules/kibana/httpcore-nio-4.4.12.jar \
        /usr/share/elasticsearch/modules/kibana/httpcore-4.4.12.jar \
        /usr/share/elasticsearch/modules/reindex/httpcore-nio-4.4.12.jar \
        /usr/share/elasticsearch/modules/reindex/httpcore-4.4.12.jar \
        /usr/share/elasticsearch/modules/x-pack-core/httpcore-nio-4.4.12.jar \
        /usr/share/elasticsearch/modules/x-pack-core/httpcore-4.4.12.jar

COPY jars/xmlsec-2.1.8.jar /usr/share/elasticsearch/modules/x-pack-identity-provider
COPY jars/xmlsec-2.1.8.jar jars/json-smart-2.4.11.jar jars/nimbus-jose-jwt-9.37.3.jar /usr/share/elasticsearch/modules/x-pack-security
COPY jars/httpcore-4.4.16.jar /usr/share/elasticsearch/modules/ingest-common
COPY jars/httpcore-4.4.16.jar /usr/share/elasticsearch/modules/repository-url
COPY jars/httpcore-nio-4.4.16.jar jars/httpcore-4.4.16.jar /usr/share/elasticsearch/modules/kibana
COPY jars/httpcore-nio-4.4.16.jar jars/httpcore-4.4.16.jar /usr/share/elasticsearch/modules/reindex
COPY jars/httpcore-nio-4.4.16.jar jars/httpcore-4.4.16.jar /usr/share/elasticsearch/modules/x-pack-core

[elasticsearchmachine]

Pinging @elastic/es-delivery (Team:Delivery)

[elasticsearchmachine]

Pinging @elastic/es-security (Team:Security)

[mark-vieira]

@jakelandis do we need to bump some dependencies in 7.17?

[jakelandis]

We run scans internally and have evaluated all of these and they have all been mitigated or evaluated that we are not vulnerable. If you have a support contract we can provide our official statements on the related CVE's via the support portal (and there should be a self service search by CVE).

I am going to close this issue, but ping me if you have any follow up comments.