duncan-ncc
commented
2 years ago Hello,
I suspect that nessus is looking purely at the version of Log4j rather than if it is actually exploitable but we do intend to publish an update to LME to use 7.16.3 once testing has been completed.
Elastic state on this page that 7.16.2 has "no known vulnerabilities to CVE-2021-44832" https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
Regardless, We do still intend to push LME to 7.16.3 after testing.
Thanks, Duncan
Nessus is still showing that our LME server is vulnerable to CVE-2021-44832 (which is the latest iteration of Log4Shell).
I notice that LME is on version 7.16.2 of the Elastic stack, whereas version 7.16.3 patches the vulnerability above.
Please could you advise as to whether LME is vulnerable to CVE-2021-44832, and whether you're planning to move to 7.16.3.
Many thanks