Delete log4j-api-2.11.1.jar - CVE-2021-44228 - ESA-2021-31

Hi,
yes, the vulnurability... Shell I delete file "log4j-api-2.11.1.jar" from Elasticsearch folder in Linux installation after the package was updated to 7.16.1?
The reason to ask is, the server will get several security audits with alarm beeping on this file, so it would be hard to explain its existence. In addition, I am not able to "test" it's deletion by myself yet...
Thanks!

According to Apache, probably only "core" is affected (not api), however, it would be nice from someone to confirm my endings.
https://logging.apache.org/log4j/2.x/security.html
file log4j-api-2.11.1.jar - probably not affected, therefore not deleted
file log4j-core-2.11.1.jar - affected and deleted (by upgrade procedure)
Thanks!

Extract from https://logging.apache.org/log4j/2.x/security.html

Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.

can someone from Elasticsearch team officially confirm this?

Based on the official Apache page, api is not affected:

Mitigation

Log4j 1.x mitigation : Log4j 1.x is not impacted by this vulnerability.

Log4j 2.x mitigation : Implement one of the mitigation techniques below.

  • Java 8 (or later) users should upgrade to release 2.16.0.
  • Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon).
  • Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.