Open kcris opened 2 years ago
It was added as the default JVM option in Elasticsearch 7.16.1
81622.
indeed, but what about older ES versions?
The default version for the role has been upgraded to 7.16.2
.
Even with that flag added, it will still be vulnerable to CVE-2021-45046 without removing the JNDI class, hence the recommendation is to upgrade to 7.16.2
.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Given the recent log4j2 security issue it's a good idea to use
-Dlog4j2.formatMsgNoLookups=true
in the ES role's jvm.options