We have Elasticsearch 7.8.0 cluster which has CVE-2021-44228. Can we somehow patch it without upgrading the Elasticsearch version? If yes, can you please share any relevant thread or documentation?

[image] Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 Security Announcements Subject: Apache Log4j2 Vulnerability - CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832 - ESA-2021-31 Note - We will update this announceme…

Log4j Vulnerability Elasticsearch 7.8.0

Elastic Stack Elasticsearch

mikewillis (Mike Willis) May 10, 2023, 8:48am 2

Search for "Elasticsearch announcement (ESA-2021-31)". There's information about how to mitigate by setting -Dlog4j2.formatMsgNoLookups=true

Topic		Replies	Views
How do I Mitigate LOG4J CVE on Elasticsearch 7.4.0? Elasticsearch	3	613	January 4, 2023
When will the next patch be released for Elasticsearch Elasticsearch	8	1626	January 17, 2022
Log4j on Elasticsearch 7.9.2 Elasticsearch	9	3344	February 14, 2022
Log4j CVE-2021-44832 (released 28th dec) - is ES vulnerable? Elasticsearch	10	6644	February 7, 2022
Does Log4j vulnerability (CVE-2021-44228) is impacted for ES v7.5.2? Elasticsearch	2	1269	January 17, 2022

Log4j Vulnerability Elasticsearch 7.8.0

Related topics