Does Log4j vulnerability (CVE-2021-44228) is impacted for ES v7.5.2?

We are using Elasticsearch v7.5.2 along with OpenJDK 11.0.11 in on-premise servers and I just need to know from Elasticsearch Team support if this version is impacted by Log4j vulnerability (CVE-2021-44228) or not.

The reason why I have asked here is that this ES software v7.5.2 comes with log4j-api-2.11.1.jar and log4j-core-2.11.1.jar files. These two versions are most vulnerable. Let me know what exact counter measures that I need to apply. I also don't see any useful information about the version I have in your announcement page. It would be great if you have a list of ES versions that are impacted with mitigation steps.

Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 has details that will help you here.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.