We regularly check our official Axon Ivy Engine Docker image with Docker Scout to identify bundled libraries with security vulnerabilities. These results are publicly available if you log in with a Docker account on Docker Hub.
With the next official LTS and LE releases we have rigorously upgraded all libraries with critical vulnerabilities. The images still have two 'high' classified issues. These issues are because the bundled Elasticsearch and Elasticsearch have officially stated that the Elasticsearch itself is not affected by these vulnerabilities.
For LTS 8 Docker Scout still reports one critical issue with JGroups (Cluster Communication Library). But this is a false positive report. I made an issue for this at Docker Scout: https://github.com/docker/cli/issues/4745
Info: Just because a library is bundled that contains a critical vulnerability does not mean that the Axon Ivy Engine is affected and attackers can exploit the vulnerability. Only parts of this library are affected and whether these affected components are needed by us or the project would have to be investigated first. Rigorous updating of such libraries saves this effort in any case.
It is particularly worth mentioning that we have updated the bundled Elasticsearch server from 7.3 to LTS 7.17 on the 8 LTS. However, if you have an external Elasticsearch server 7.3, Ivy 8 will continue to work with that server.