When will the next patch be released for Elasticsearch

When will be the next patch for Elasticsearch?

Per Announcement Here which is being updated daily so please check back there

As of December 13, 2021, we have released Elasticsearch 6.8.21 and 7.16.1 which set the JVM option identified below and remove the vulnerable JndiLookup class from Log4j out of an abundance of caution. If you are on a 6.x version prior to 6.4.0 and upgrading is not possible, you can follow the instructions here.

Welcome to our community! :smiley:

Very soon, we don;'t provide dates or specific ETAs though sorry.

@Aydan If you are looking for 7.16.2 for the Log4J see here

It is also at the very top of this page..

Update Log

....

  • Dec 19, 2021 - 13:32 UTC - Elastiscsearch and Logstash 7.16.2 and 6.8.22 are now released. These releases include the most recent version of Log4j (2.17.0).

Thank You

Thank you

I have a concern regarding Elasticsearch.

In you announcement, it is stated that to mitigate the vulnerability, the -Dlog4j2.formatMsgNoLookups=true variable to the jvm.options.

However, reading the below article states that this is an insufficient mitigation measure:

https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105

Are you able to confirm if this?

Please see Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 as it goes into all of this in detail :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.