Vulnerability Apache Tika 1.13 < 3.2.2 XXE (CVE-2025-66516) and Apache Log4j 2.0-beta9 < 2.25.3 MitM in VA scan report of server

Ravinder07Sharma · February 3, 2026, 11:51am

we are running Elasticsearch-8.17.10 on 6 RHEL 8 servers. But we are getting vulnerability Apache Tika 1.13 < 3.2.2 XXE (CVE-2025-66516) and Apache Log4j 2.0-beta9 < 2.25.3 MitM in VA scan report of server. log4j vulnerability is not getting fixed by upgrading elasticsearch to version 8.19.10.How to fix these vulnerabilities?

Topic		Replies	Views
Apache Log4j 2.0 < 2.3.2 / 2.4 < 2.12.4 / 2.13 < 2.17.1 RCE Elasticsearch	7	667	February 17, 2023
Apache Log4j2 vulnerability Elasticsearch	4	1184	January 19, 2022
Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 Security Announcements	7	352231	November 4, 2022
Bitbucket and Elastic security question! Elasticsearch	4	1095	March 11, 2022
Is Elasticsearch affected by CVE-2021-45046 - a second vulnerability in log4j? Elasticsearch	2	6013	January 12, 2022

Vulnerability Apache Tika 1.13 < 3.2.2 XXE (CVE-2025-66516) and Apache Log4j 2.0-beta9 < 2.25.3 MitM in VA scan report of server

Related topics