Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31

ESA-2021-31 Advisory Updated

  • Jan 13, 2022 21:00 UTC - Elasticsearch, Logstash 7.16.3 and 6.8.23 are released, which upgrade log4j to 2.17.1. Note about ECE and Apache Zookeeper.

Elasticsearch, Logstash 7.16.3 and 6.8.23 are released, which upgrade log4j to 2.17.1. By default, Elasticsearch and Logstash have no known vulnerabilities to CVE-2021-44832.

ECE uses Apache Zookeeper which depends on log4j 1.2.17 as an internal dependency. There is no known exploitation of CVE-2021-4104 in this implementation, and there are currently no upstream plans announced by the Apache Zookeeper project to update the log4j version in Zookeeper.

4 Likes