We are currently running Elasticsearch version 8.19.8 in our environment and are receiving a Log4j vulnerability alert.
To address this issue, we verified and upgraded to Elasticsearch version 8.19.11, but the vulnerability is still being flagged.
Could you please provide the solution or confirm the exact Elasticsearch version and release date in which this vulnerability was remediated?
You need to send the CVE information about the vulnerability to security@elastic.co, it is their only channel to answer these questions.
Welcome to the forum @shubhammugale
in addition to what was written already, you need to understand there is a difference between some tool of yours reporting what it suspects may be a vulnerability, and an actual vulnerability.
I have no idea on this specific case, but in general even if you have a specific CVE that references version X of component Y that has some vulnerability, that does not necessarily or automatically mean Elasticsearch also has a vulnerability. It's more nuanced than "version X is vulnerable, so it needs to be upgraded".
Thank you for your clarification.
We understand that there is a difference between a vulnerability reported by a scanning tool and an actual exploitable vulnerability in Elasticsearch. We also acknowledge that even if a specific CVE references version X of component Y, it does not automatically mean that Elasticsearch itself is vulnerable. We understand that the situation can be more nuanced than simply upgrading based on the reported component version.
However, since our security tool continues to flag a Log4j-related vulnerability in Elasticsearch 8.19.x (including 8.19.11), we would appreciate your confirmation on the following:
Whether Elasticsearch 8.19.x is genuinely affected by the reported CVE.
If it is not affected, could you please provide official documentation or clarification that we can share with our security team to close the finding?
We appreciate your support in helping us accurately assess and remediate this issue.
Security issues are per policy not discussed here so you need to follow Leandro’s advice above.
Whilst agreeing with @Christian_Dahlqvist and @leandrojmp on your best route forward, I note you have referenced a CVE multiple times without (unless I missed it) actually referring to a specific CVE? Adding the specifics to this thread will not likely make much difference as to what you should do next in these situations, do what was suggested in very first response. But all you have actually shared here is a screenshot from an unknown tool ("our security tool"), which will mean nothing to most of us.
Wild guess, if you are referring to CVE-2025-68161, that just happens to have been referenced on this forum in a previous thread.
For future reference, you can also search/check on the support hub here.
Got it 
you received that response from their side and now you want to reply back (not an email, just a forum reply or response).
Here is a professional and balanced response you can post:
Thank you for your response and clarification.
Apologies for not mentioning the specific CVE earlier. The vulnerability being flagged by our security tool is CVE-2025-68161 (Log4j-related).
We understand that a vulnerability reported by a scanning tool does not necessarily mean Elasticsearch itself is exploitable, and that simply referencing a vulnerable library version does not automatically imply product impact.
Our concern is mainly from a compliance and audit perspective, as the scanner continues to flag Elasticsearch 8.19.x (including 8.19.11). We are trying to determine whether:
Elasticsearch is actually impacted by CVE-2025-68161, or
This is a false positive due to how the scanning tool detects bundled libraries.
If Elasticsearch is not affected, an official confirmation or reference to documentation would greatly help us justify closing this finding internally.
Thank you again for your guidance.
Have you seen that there exists a search function for the forum? If I type in the CVE designation you provided I immediately find the following thread:
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
