Closed pabloochoaa closed 2 years ago
Thanks for reporting it, we will look at it.
According to elastic post on the release of 7.16.2
https://www.elastic.co/blog/new-elasticsearch-and-logstash-releases-upgrade-apache-log4j2 the version 7.16.1
of elasticsearch
is not vulnerable to log4j CVEs, even if the version is one of the vulnerable ones.
In our advisory post, we identify several mitigations that are effective on versions of Elasticsearch and Logstash even when using a vulnerable version of Log4j. Elasticsearch and Logstash versions 7.16.1 and 6.8.21 also fully mitigate CVE-2021-44228 and CVE-2021-45046. Despite these versions providing full protection against all known CVEs, they may trigger false positive alerts in vulnerability scanners that look at only the version of the Log4j dependency. We understand that while that may not lead to risk, some deployments and customers may still be concerned about compliance implications.
Problem description
The dockerhub page shows that the 7.16.1 elasticsearch version is free of the vulnerability known as “Log4Shell” (CVE-2021-44228 or CVE-2021-45046) but it actually isn’t. It has the previously mentioned vulnerability as it uses versions 2.11.1 for both its core and API. As said in the corresponding blog, " The vulnerable versions of Log4j 2 are versions 2.0 to version 2.14.1 inclusive".