Does Log4j vulnerability (CVE-2021-44228) is impacted for ES v7.5.2?

Anuroop1 · December 16, 2021, 9:59am

We are using Elasticsearch v7.5.2 along with OpenJDK 11.0.11 in on-premise servers and I just need to know from Elasticsearch Team support if this version is impacted by Log4j vulnerability (CVE-2021-44228) or not.

The reason why I have asked here is that this ES software v7.5.2 comes with log4j-api-2.11.1.jar and log4j-core-2.11.1.jar files. These two versions are most vulnerable. Let me know what exact counter measures that I need to apply. I also don't see any useful information about the version I have in your announcement page. It would be great if you have a list of ES versions that are impacted with mitigation steps.

warkolm · December 20, 2021, 12:17am

Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 has details that will help you here.

system · January 17, 2022, 12:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Log4j vulnerability threat impact on Elasticsearch and Logstash versions below 5 Elasticsearch	2	1245	January 16, 2022
Log4j CVE-2021-44832 (released 28th dec) - is ES vulnerable? Elasticsearch	10	6648	February 7, 2022
Addressing log4j vulnerability for 1.x and 2.x elasticsearch Elasticsearch	2	1529	January 18, 2022
Is Elasticsearch affected by CVE-2021-45046 - a second vulnerability in log4j? Elasticsearch	2	5953	January 12, 2022
How do I Mitigate LOG4J CVE on Elasticsearch 7.4.0? Elasticsearch	3	613	January 4, 2023

Does Log4j vulnerability (CVE-2021-44228) is impacted for ES v7.5.2?

Related topics