Is it possible to upgrade log4j from 2.11.1 to latest non-vul-ner-able version?

Found that ES internally using log4j 2.11.1 which is hitting this NVD - CVE-2020-9488.
As we are more concerned about security issues, is there any plan to upgrade this in ES v6.8.x or latest versions of ES ? Or manually is it possible to upgrade this jar ?

any updates on this ?

Please report security issues to as per the online instructions.

Manually upgrading a single JAR is not supported. Since the vulnerability you link apparently affects only some logging configurations, you can likely mitigate it by adjusting your configuration to avoid the vulnerable feature. I believe the default logging configuration is unaffected by this issue.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.