My current es is 2.4 6. I want to know whether my website will be affected by log4j vulnerability

Yes. To an extent. Elasticsearch inherently has some protection due to using Java Security Manager.


We recommend upgrading to Elasticsearch 6.4 or above and applying the hot fix we posted in the Announcements forum.
 
Yes. To an extent. Elasticsearch inherently has some protection due to using Java Security Manager.
Hmm, as far as I've understood https://discuss.elastic.co/t/apache...lnerability-cve-2021-44228-esa-2021-31/291476 this might only be the case for ES 6/7 - not necessarily for ES 5 (or even older versions)?

Elasticsearch versions 5.0.0+ contain a vulnerable version of Log4j. We’ve confirmed that the Security Manager mitigates the remote code execution attack in Elasticsearch 6 and 7; investigation is still underway for Elasticsearch 5.
 
Top Bottom