Log4j on Elasticsearch 7.9.2

Hi Everyone,

As we know the vulnerability (CVE-2021-44228) impacts multiple versions of the Apache Log4j2

I can see Elastic has updated about this
Supported versions of Elasticsearch (6.8.9+, 7.8+) used with recent versions of the JDK (JDK9+) are not susceptible to either remote code execution or information leakage. This is due to Elasticsearch’s usage of the Java Security Manager. Most other versions (5.6.11+, 6.4.0+ and 7.0.0+) can be protected via a simple JVM property change. The information leak vulnerability does not permit access to data within the Elasticsearch cluster. We have released Elasticsearch 7.16.1 and 6.8.21 which contain the JVM property by default and remove certain components of Log4j out of an abundance of caution.

Currently, I'm having Elasticsearch version 7.9.2 on production server, but I found a lot of packages log4j 2.11.1.jar under elastic (the impact version between 2.0 and 2.14.1)

So, should I worry about it? and consider an upgrade to higher elastic version, i.e 7.16?
or can I safely ignore those ones?

Welcome to our community! :smiley:

You should definitely upgrade as a matter of general maintenance. However we will be releasing a new version with upgraded packages very soon.

Thank you very much,
so, should I wait for the new version to be released, or which version can I upgrade to for now?

1 Like

Upgrading to 7.16.2 will also upgrade the log4j package to the latest without the flaw(s).

1 Like

Thank you very much, I really appreciate it :slight_smile:

1 Like

Hello Guys currently log4j version 2.11 both core and api
what about remove those jars and replace them with
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.17.0/
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.17.0/
and restart Elasticsearch service it's working but i don't know if this will fix the vulnerability or even worth impact the data could you please advice

We do not recommend replacing jar files within an existing Elasticsearch install.

Please set Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 - Security Announcements - Discuss the Elastic Stack for advice on how to address this issue.

1 Like

upgrading live system not recommended on my cause right now can i apply this replacement jars till we manage the upgrade plan what do you think

My answer is the same as last time you asked.

We do not recommend replacing jar files within an existing Elasticsearch install.

Please follow the official advice on how to address this issue.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.