Replace Log4j from 2.11.0 to 2.15.0

Hello Team,

I am using logstash 7.5.1 and having log4j jar as 2.11.1. Now as per doc https://discuss.elastic.co/ it is mentioned to remove JNDI class if we don't want to upgrade logstash. Is it possible if I can upgrade log4j jar to 2.15.0 in my current logstash version to mitigate this vulnerability? Do we have any impact if log4j jar will be different in logstash servers and elastic servers.

I am also want solution for this. It's keep saying you might reinstall the gem
How to do that?

Hi Team,

As Log4j 2.17 is not vulnerable so if we don't want to go with upgrade, can we replace log4j jar from 2.11 to 2.17?

ELK current Version : 7.9.3

any update ?

No, you can't just replace the jar with a newer version.

Please read the security announcement about the Log4J exploit, there you will find how to mitigate the issue according to your Logstash/Elasticsearch version.

If what you want to do is not mentioned there, then it is not recommended or testes by elastic.

Hi Team,
We want to upgrade our current log4j 2.17.0 to 2.17.1. When will the log4j 2.17.1 release be available & Please provide us a release update

elastic have not announced a release date. I am sure that when a fix is available it will be noted in the top post in the Security Announcements thread.

Hi, We are using ELK 6.8.14. To upgrade the log4j to log4j 2.17. Could You please suggest me, what action we need to take.

Thank You.

Per the announcement here

our overall recommendation is to update to version 7.16.2 or 6.8.22.

If you want Log4j 2.17 you should upgrade Elasticsearch to 6.8.22
There is no other supported option.