As per the title there is a newer vulnerability in log4j: CVE-2021-45046
https://logging.apache.org/log4j/2.x/security.html
As the current log4j announcement doesn't specifically mention this CVE except in the context of Logstash, could anyone confirm whether or not Elasticsearch is vulnerable?
Actually it seems they updated the security announcement to explicitely cover this new vulnerability:
[Update 15 December] A further vulnerability (CVE-2021-45046) was disclosed on December 14th after it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. Our guidance for Elasticsearch, APM Java Agent, and Logstash are unchanged by this new vulnerability.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.