Logstash is affected by Apache Log4j2 2.17.0 Vulnerability CVE-2021-44832?

Apache Log4j2 2.17.0 report a new Vulnerability CVE-2021-44832, is Logstash affected or not?

2 Likes

We will update the official advisory.

Sidenote: This security issue has a very strong precondition — attackers need to be able to change the logging configuration. Generally that means already being admin on the system.

When will the Elastic log4j advisory be updated to account for CVE-2021-44832?
Hopefully, the answer is "today". :wink:

Just came out.

Today" is a complicated concept in a global community :sweat_smile: