CVE-2021-44228 not using XPack, does exposure change?

We are running Elasticsearch and not enabling / installing X-Pack for reasons.

With regard to the log4j2 vulnerability CVE-2021-44228, there has been mention of setting property or upgrading to a later version (I believe this was 7.8+ now on Java 9 or higher, but its not vital to my question)

My question is if we do not run X-Pack, are we still vulnerable?

  • When setting the JVM property, is the fix affected by presence of X-Pack?
  • When upgrading to 7.8+ is the fix dependent on the presence of X-Pack?

Follow up question:
We run most of our nodes in "single-node" mode, not cluster.

discovery.type: single-node

Single node mode to my understanding already skips startup checks and is different in some ways from running it in "production / cluster mode"

Does this affect the proposed vulnerability fix at all?

Nothing in the security announcement for this issue is specific to which plugins you have installed or the number of nodes in your cluster.

You should follow the recommendations in that announcement.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.