CVE-2021-44832

nishant_goyal · August 8, 2024, 9:48am

HI

I am using Elasticsearch v 7.16.2 version and found CVE-2021-44832 Vurn.
Please help me to update jar file

Plugin Output:
Path : /usr/share/elasticsearch/lib/elasticsearch-log4j-7.16.2.jar
Installed version : 2.17.0
Fixed version : 2.17.1

Path : /usr/share/elasticsearch/bin/elasticsearch-sql-cli-7.16.2.jar
Installed version : 2.17.0
Fixed version : 2.17.1

Christian_Dahlqvist · August 8, 2024, 9:53am

I would reccomend you upgrade Elasticsearch to the latest version rather than try to mess with jar files.

nishant_goyal · August 8, 2024, 9:56am

HI Christian_Dahlqvist

upgrade Elasticsearch throw error on documents

Christian_Dahlqvist · August 8, 2024, 10:01am

You will need to first upgrade to Elasticsearch 7.17 and run the migration assistant as outlined in the documentation. There should be no compatibility issues doing that. Then you need to address any issues identified by the assistant before migrating to the latest version (if going to 7.17 does not resolve your issue).

TimV · August 9, 2024, 12:15am

The only supported way to upgrade jars within Elasticsearch is to upgrade Elasticsearch itself (as @Christian_Dahlqvist has recommended).

There is no safe way to upgrade dependencies on their own and it is entirely possible that you will break your cluster - sometimes in ways that cannot be repaired.

Topic		Replies	Views
CVEs present in the latest version Elasticsearch	2	465	June 6, 2023
Fix log4j ：upgrade ES version OR replace log4j.jar to 2.17.2 Elasticsearch	6	1878	May 19, 2022
Elasticsearch 7.16.3 Log4j Vulnerability log4j-core-2.11.1.jar still persists Elasticsearch	2	2812	March 1, 2022
Is it possible to upgrade log4j from 2.11.1 to latest non-vul-ner-able version? Elasticsearch	3	745	June 18, 2021
Log4j CVE-2021-44832 (released 28th dec) - is ES vulnerable? Elasticsearch	10	6650	February 7, 2022

CVE-2021-44832

Related topics