Is Elasticsearch affected by CVE-2021-45046 - a second vulnerability in log4j?

As per the title there is a newer vulnerability in log4j: CVE-2021-45046
https://logging.apache.org/log4j/2.x/security.html

As the current log4j announcement doesn't specifically mention this CVE except in the context of Logstash, could anyone confirm whether or not Elasticsearch is vulnerable?

7 Likes

Actually it seems they updated the security announcement to explicitely cover this new vulnerability:

[Update 15 December] A further vulnerability (CVE-2021-45046) was disclosed on December 14th after it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. Our guidance for Elasticsearch, APM Java Agent, and Logstash are unchanged by this new vulnerability.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.