After we have upgraded apm to 1.34.1, we are still seeing vulnerability CVE-2020-9488 showing up in our application scan reports (earlier we were using 1.28.4)
Expected log4j fix version is 2.13.2 but where in apm 1.34.1, it is still having 2.12.4. So are there any plans to increase log4j version or is it the max version that will be supported?
NVD - cve-2020-9488 Fixed in Apache Log4j 2.12.3 and 2.13.1
Please contact your vulnerability scanner vendor and ask them to correct the false positive error
This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
