Elastic Open Crawler - Recent Container CVEs

[Skagnatti]

Hello,

I have been using the Elastic Open Crawler for some time now. In general, it has been a nice, functional replacement for the deprecated Enterprise Search Crawler.

When my Elastic Open Crawler container(s) launch, they launch with either the docker.elastic.co/integrations/crawler:latest or docker.elastic.co/integrations/crawler:0.4.2 image.

docker ps
CONTAINER ID   IMAGE                                           COMMAND       CREATED        STATUS        PORTS     NAMES
6c52ec83e23e   docker.elastic.co/integrations/crawler:latest   "/bin/bash"   20 hours ago   Up 20 hours             crawler

bash-5.3$ cat product_version
0.4.2

Within the running container the rack version appears to be different than the recently pushed CVE fixes:

bash-5.3$ egrep 'rack|java' Gemfile Gemfile.lock
Gemfile:  gem 'rack', '~> 2.2.14'

Gemfile.lock:    rack (2.2.16)
Gemfile.lock:      rack (>= 1.0.0)
Gemfile.lock:  universal-java-17
Gemfile.lock:  universal-java-21
Gemfile.lock:  universal-java-22
Gemfile.lock:  universal-java-23
Gemfile.lock:  rack (~> 2.2.14)

And I suppose for the other ruby-maven removal CVE in the Dockerfile.

[seanstory]

@Skagnatti you may want to build from source, as it looks like we haven't cut a recent release with a few of these CVE fixes. 0.4.3 should address some of the problem, and we'll see if we can make sure we just don't ship dev/test deps in the image at all.

Thanks for reporting!

[Skagnatti]

Hey, Sean. Appreciate the response.

Sure, that sounds fine. I can wait on the updated image(s).

[Jan-Kazlouski-elastic]

Hi @Skagnatti — verified fixed in 1.0.0, so I'm closing this. Thanks for the report!

Root cause: no recent release had been cut, so the published image lagged behind CVE fixes already in main, and dev/test gems (like rack) were being shipped in the image at all.

Fixed by: rack → 2.2.23 (#432), dev/test gems excluded from the image (#431), ruby-maven/plexus-utils removed (#428), 1.0.0 released (#438).

Verified against the published docker.elastic.co/integrations/crawler:latest (digest 6f3c02f6…, same as :1.0.0):

$ cat product_version              # 1.0.0
$ gem list | grep '^rack '         # (not installed)
$ gem list | grep ruby-maven       # (not installed)
$ find / -iname '*plexus-utils*'   # (no matches)

Note: Gemfile.lock still lists these gems (it's the full bundle manifest), but at patched versions and they aren't installed in the image. Please pull latest/1.0.0 and reopen if anything looks off.