We are running Elasticsearch and not enabling / installing X-Pack for reasons.
With regard to the log4j2 vulnerability CVE-2021-44228, there has been mention of setting property or upgrading to a later version (I believe this was 7.8+ now on Java 9 or higher, but its not vital to my question)
My question is if we do not run X-Pack, are we still vulnerable?
- When setting the JVM property, is the fix affected by presence of X-Pack?
- When upgrading to 7.8+ is the fix dependent on the presence of X-Pack?
Follow up question:
We run most of our nodes in "single-node" mode, not cluster.
Single node mode to my understanding already skips startup checks and is different in some ways from running it in "production / cluster mode"
Does this affect the proposed vulnerability fix at all?