Hi, Our vulnerability scanning tool is detecting Elasticsearch-sql-cli-7.16.1.jar in the bin folder as vulnerable and the jar file contains a Jndilookup.class file. Is it supposed to be detected as vulnerable? Can anyone please advise? Thank you, Oliver

Log4j vulnerability in Elastic Search 7.16.1

ikakavas (Ioannis Kakavas) April 20, 2022, 3:08am 2

Please read through Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 and let us know if you have any questions after that

Elasticsearch is a trademark of Elasticsearch BV, registered in the U.S. and in other countries
Trademarks
Terms
Privacy
Brand
Code of Conduct

Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.