Is Elasticsearch affected by CVE-2021-45046 - a second vulnerability in log4j?

As per the title there is a newer vulnerability in log4j: CVE-2021-45046

As the current log4j announcement doesn't specifically mention this CVE except in the context of Logstash, could anyone confirm whether or not Elasticsearch is vulnerable?


Actually it seems they updated the security announcement to explicitely cover this new vulnerability:

[Update 15 December] A further vulnerability (CVE-2021-45046) was disclosed on December 14th after it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. Our guidance for Elasticsearch, APM Java Agent, and Logstash are unchanged by this new vulnerability.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.