Replace Log4j from 2.x to 2.17.0 or later

Our oldest products includes Elastic stack versions 5.2, 6.2.2 and 7.10.2. We're in situation that we can not perform elastic versions uplift to the latest/fixed versions.

Can we replace Log4j 2.x versions with 2.17.x or later for Elasticsearch and logstash in the version - 5.2, 6.2.2 and 7.10.2.

Please suggest.

No, you can't just replace de library for a newer version.

All the recommendations regarding the Log4shell exploit are in the pinned security announcement, there you will find instructions to mitigate this in different versions.

2 Likes

Thank you! , Just for my understanding, why is log4j jar replacement not recommended by elastic?

Hi Team,

Please help us with following information

  • Technical information on why the Elastic community does not recommend directly replacing jars.

  • Apache v2 license applies to both Elastic versions mentioned and Log4j 2.17.1. Does Elastic community anticipate any license violations if we replace the log4j 2.x version with Log2.17.1 jar ( from Apache Downloads) on the Elastic stack components versions ( 5.2, 6.2.2 and OSS distribution of 7.10.2 ) after validating our use cases ?

It's not tested or supported and it's entirely possible that it just doesn't work. The announcement to which @leandrojmp linked contains advice and recommendations for what to do with older versions, although of course the primary recommendation is to address any blockers and upgrade to supported versions as a matter of urgency.

We can't offer legal advice. You will need to consult your own lawyer to answer this question.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.