Replace Log4j from 2.x to 2.17.0 or later

Our oldest products includes Elastic stack versions 5.2, 6.2.2 and 7.10.2. We're in situation that we can not perform elastic versions uplift to the latest/fixed versions.

Can we replace Log4j 2.x versions with 2.17.x or later for Elasticsearch and logstash in the version - 5.2, 6.2.2 and 7.10.2.

Please suggest.

No, you can't just replace de library for a newer version.

All the recommendations regarding the Log4shell exploit are in the pinned security announcement, there you will find instructions to mitigate this in different versions.

1 Like

Thank you! , Just for my understanding, why is log4j jar replacement not recommended by elastic?