Impact of CVE-2025-68161 on Elasticsearch v7.17.28

Hi,

Kindly let know if Elasticsearch v7.17.28 is impacted by CVE-2025-68161

CVE Details as follows -

Description:

The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName configuration attribute or the log4j2.sslVerifyHostName system property is set to true.

This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions: * The attacker is able to intercept or redirect network traffic between the client and the log receiver. * The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured).

Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue. As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.

Thank you.

Hi @amolrm,

I would recommend reaching out to security@elastic.co with any security related queries.

As an aside, 7.17 reached end of support earlier this month (see here) so I would recommend upgrading to version 8 or 9.

Hope that helps!

Carly

@amolrm try to avoid cross-posting the same question in multiple topics. But as confirmed here Elastic and Elasticsearch are not impacted.

Hope that helps!

Hi Carly,

Thank you for your repsone.

The purpose behind the follow-up question was to know beforehand whether the suggested ES upgrade (to 8.x or 9.x) is immune to the vulnerability. If not, there would have been no point performing a immediate upgrade.

Regards.

There are multiple other CVEs affecting version 7, which is not supported anymore and wil not receive any fix.

You can check the Security Announcements.