Safe options for log4j2 - CVE-2021-44228

[kcris]

Given the recent log4j2 security issue it's a good idea to use -Dlog4j2.formatMsgNoLookups=true in the ES role's jvm.options

[hendry-lim]

It was added as the default JVM option in Elasticsearch 7.16.1 81622.

[kcris]

indeed, but what about older ES versions?

[hendry-lim]

The default version for the role has been upgraded to 7.16.2. Even with that flag added, it will still be vulnerable to CVE-2021-45046 without removing the JNDI class, hence the recommendation is to upgrade to 7.16.2.

[botelastic[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.