Elastic Products are not affected by this issue.
On March 29th, 2024, Elastic became aware of the malicious code planted in the xz package.
Elastic has performed an investigation to identify any Elastic Products which may be impacted by this issue and we have concluded that no Elastic products use the versions of xz affected by this vulnerability. Therefore, Elastic Products are not affected by this issue.
Reference Links: