Closed hermitdemschoenenleben closed 2 years ago
We're tracking this issue in https://github.com/pelias/pelias/issues/921, as you mentioned it's unlikely that the current ES version is vulnerable but we're looking to upgrade anyway.
Absolutely. While it does look like recent versions of Elasticsearch 7 include newer JVMs that prevent most or all of the damage from log4j, there's no reason to risk it.
https://github.com/pelias/docker/pull/275 upgrades the default Elasticsearch image used by all the Docker projects.
Elasticsearch just released the 7.16.1 docker image with fixes for the 0day vulnerability in log4j. While elasticsearch officially claims that the bug is not exploitable in elasticsearch, some people state that this is not true. Anyway, I think to be on the safe side it would make sense to upgrade to 7.16.1 of elasticsearch. Do you know of any incompatibilities that may arise when upgrading from 7.5.1 that pelias/docker uses?