January 20, 2023, 4:32pm
We have recently receive security vulnerabilities related to Log4j , as solution proposed is to Upgrade to Apache Log4j version 2.17.1, 2.12.4, or 2.3.2 or later.
Could you please confirm if there is a patch to install in order to fix this vulnerabilities , or is it mandatory to upgrade the version of ELK , the versions we have for the ELK cluster are
January 20, 2023, 4:51pm
You should upgrade to 7.17
January 20, 2023, 4:57pm
Thanks foryour answer , for the pluging readonly rest should we also upgrade it or juste the ELK cluster which must be upgrade
January 20, 2023, 5:56pm
I have no idea for 3rd party plugins. You should ask them.
January 20, 2023, 6:08pm
ok thank you for your reply
January 20, 2023, 6:29pm
We also have on elasticsearch serveurs the vulnerability :
151209 (4) - OpenJDK 7 <= 7u281 / 8 <= 8u272 / 11.0.0 <= 11.0.9 / 13.0.0 <= 13.0.5 / 15.0.0 <= 15.0.1
The solution proposed is to upgrade Upgrade to an OpenJDK version greater than 7u281 / 8u272 / 11.0.9 / 13.0.5 / 15.0.1
And on the Kibana , elasticsearch and logstash servers we have also the vulnerability :
Oracle Java SE Multiple Vulnerabilities
Proposing as solution to apply the appropriate patch according to the January 2023 Oracle Critical Patch Update advisory.
Is the upgrade of ELK should fix those vulnerabilities , otherwise is there any patch for the last one of oracle.
Thanks for help
As noted earlier, upgrade to at least version 7.17.8. I believe this comes with a considerable more recent JVM bundled.
February 17, 2023, 6:51pm
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.