We are running Elasticsearch 7.6.2 and have mitigated the log4j by setting the -Dlog4j2.formatMsgNoLookups=true in JVM options.
However, our scans are still showing that Elasticsearch-sql-cli-7.6.2.jar file is vulnerable as it is internally using log4j.
Can let us know if this file can be removed from bin folder or is there a way to mitigate this embedded log4j vulnerability.
Elasticsearch 7.6 is EOL and no longer supported. Please upgrade ASAP.
(This is an automated response from your friendly Elastic bot. Please report this post if you have any suggestions or concerns 
)
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.