We are using Elasticsearch v7.5.2 along with OpenJDK 11.0.11 in on-premise servers and I just need to know from Elasticsearch Team support if this version is impacted by Log4j vulnerability (CVE-2021-44228) or not.
The reason why I have asked here is that this ES software v7.5.2 comes with log4j-api-2.11.1.jar and log4j-core-2.11.1.jar files. These two versions are most vulnerable. Let me know what exact counter measures that I need to apply. I also don't see any useful information about the version I have in your announcement page. It would be great if you have a list of ES versions that are impacted with mitigation steps.