Request for product remediation guidance – bundled Apache Log4j vulnerabilities in Elasticsearch/Logstash

sankalita · May 7, 2026, 3:57pm

Security scans have identified vulnerable Apache Log4j Core versions bundled with Elasticsearch 8.19.14 and Logstash on the host. Nessus reports CVE‑2026‑34477 and CVE‑2026‑34480, requiring Log4j 2.25.3/2.25.4 or later.

Request to product team:
Please confirm product guidance and remediation plan for upgrading or replacing the bundled Log4j libraries in Elasticsearch 8.19.14 and the Logstash component currently shipping with Log4j 2.17.2. We need confirmation whether:

an approved product patch/hotfix is available
these bundled JARs can be upgraded safely to Log4j 2.25.3/2.25.4 or later,
there are any product compatibility constraints,
target release timeline for a supported fix

dadoonet · May 7, 2026, 4:43pm

Welcome!

Thank you for your report.

Elastic's security reporting guidelines are available at Product Security at Elastic | Elastic.

Per those guidelines, all reports of potential security issues or vulnerabilities should be sent via email to security@elastic.co.

We are unable to discuss potential issues of this nature here. Please send your report to the email address above, where it can be appropriately handled.

Topic		Replies	Views
Elasticsearch&Logstash Log4j Vulnerabilities Logstash	6	1186	June 13, 2022
Log4j on Elasticsearch 7.9.2 Elasticsearch	9	3640	February 14, 2022
Urgent - Incomplete fix for Apache Log4j vulnerability v2.15.0 Logstash	3	3597	January 19, 2022
Regarding log4j vulnerability Elasticsearch docker	5	6563	February 2, 2022
Log4j CVE-2021-44832 (released 28th dec) - is ES vulnerable? Elasticsearch	10	6848	February 7, 2022

Request for product remediation guidance – bundled Apache Log4j vulnerabilities in Elasticsearch/Logstash

Related topics