Hello,
We have log4j vulnerabilities for Elasticsearch and Logstash in the following paths:
Path : /usr/share/Elasticsearch/lib/log4j-core-2.11.1.jar
Path : /usr/share/logstash/logstash-core/lib/jars/log4j-core-2.14.0.jar
Is there a workaround to fix the vulnerabilities? Otherwise, Is the only solution to upgrade the application version?
Logstash and Elasticsearch version: 7.13
Could you help me to solve the problem?
Thanks
Welcome to our community! 
If you are referring to the log4shell vulnerabilities then please see 7-0-0-7-16-0-log4j-cve-2021-44228-cve-2021-45046-remediation/292343
I think Mark meant to link to this thread.
Hello
Thanks for your updates. The link you provided for me is about Logstash. Is there a solution for Elasticsearch too?
Thanks
Of course. The overall elastic view of the vulnerability can be found in this blog post. I do not run elasticsearch, but I would start here. There is a ton of detail about versions and configuration variations. If an upgrade is viable then I would certainly recommend it.
Yeah, that was a copy paste error!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.