I am using logstash 7.5.1 and having log4j jar as 2.11.1. Now as per doc https://discuss.elastic.co/ it is mentioned to remove JNDI class if we don't want to upgrade logstash. Is it possible if I can upgrade log4j jar to 2.15.0 in my current logstash version to mitigate this vulnerability? Do we have any impact if log4j jar will be different in logstash servers and elastic servers.
No, you can't just replace the jar with a newer version.
Please read the security announcement about the Log4J exploit, there you will find how to mitigate the issue according to your Logstash/Elasticsearch version.
If what you want to do is not mentioned there, then it is not recommended or testes by elastic.
elastic have not announced a release date. I am sure that when a fix is available it will be noted in the top post in the Security Announcements thread.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.