Found that ES internally using log4j 2.11.1 which is hitting this NVD - CVE-2020-9488.
As we are more concerned about security issues, is there any plan to upgrade this in ES v6.8.x or latest versions of ES ? Or manually is it possible to upgrade this jar ?
any updates on this ?
Please report security issues to security@elastic.co as per the online instructions.
Manually upgrading a single JAR is not supported. Since the vulnerability you link apparently affects only some logging configurations, you can likely mitigate it by adjusting your configuration to avoid the vulnerable feature. I believe the default logging configuration is unaffected by this issue.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.