Log4j vulnerability and Elasticsearch 6.8.21

As per the release notes of Elasticserch 6.8.21, the vulnerability CVE-2021-44228 is addressed by removing the class file JndiLookup.class from the log4j jar. We have upgraded our application with Elasticsearch 6.8.21 and I see the class file is removed from log4j jar. However I found another JndiLookup.class in the jar file Elasticsearch-sql-cli-6.8.21.jar?
doesn't it make the vulnerability alive?


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.