And as I see in 1.28.4 version i could see log4j version being used is 2.12.4, so is there any plan to upgrade it 2.17.0 version or any workaround to mitigate these vulnerabilities as these are being picked by application scans
If your vulnerability scanner doesn't detect that Log4j 2.12.4/Elastic APM Java Agent 1.28.4 contains fixes to these CVEs, please get in touch with the vendor of this scanner so that they can update their policies.
The reason we can't update to Log4j 2.17.0 is that this version doesn't support Java 7. As the Java agent still does support Java 7, we're using the latest 1.12.x version which contains all the security fixes.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.