My current es is 2.4 6. I want to know whether my website will be affected by log4j vulnerability

[sniper756]

My current es is 2.4 6. I want to know whether my website will be affected by log4j vulnerability.

thx

 

[Chris D]

Yes. To an extent. Elasticsearch inherently has some protection due to using Java Security Manager.


We recommend upgrading to Elasticsearch 6.4 or above and applying the hot fix we posted in the Announcements forum.

 

[Kirby]

Yes. To an extent. Elasticsearch inherently has some protection due to using Java Security Manager.

Hmm, as far as I've understood https://discuss.elastic.co/t/apache...lnerability-cve-2021-44228-esa-2021-31/291476 this might only be the case for ES 6/7 - not necessarily for ES 5 (or even older versions)?

Elasticsearch versions 5.0.0+ contain a vulnerable version of Log4j. We’ve confirmed that the Security Manager mitigates the remote code execution attack in Elasticsearch 6 and 7; investigation is still underway for Elasticsearch 5.

 

[Chris D]

My current es is 2.4 6. I want to know whether my website will be affected by log4j vulnerability.

thx

My apologies. 2.4.6 does not include a vulnerable version of Log4j so you should be fine.

 

[Nirjonadda]

Updated to Elasticsearch Version: 7.16.1 and Release date: December 13, 2021