About fix log4j2 vulnerabilities, use the parameter -Dlog4j2.formatMsgNoLookups=true

Currently, there are multiple ES versions in our online environment. To fix the logj2 vulnerability, we plan to add the parameter -Dlog4j2.formatMsgNoLookups=true to jvm.option. Do the following versions support this method of repair?
6.2.4
6.3.2
6.4.1
6.8.3
7.2.0
7.4.2

Please see Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31, Elasticsearch 5.0.0-5.6.10 and 6.0.0-6.3.2: Log4j CVE-2021-44228, CVE-2021-45046 remediation and Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 for mitigation approaches.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.