On Mon, 10 Jan 2022 at 18:18, Jeremy Stanley <fungi@yuggoth.org> wrote:
On 2022-01-10 18:10:19 +0100 (+0100), Pierre Riteau wrote: [...]
For CentOS images, this is bundled into elasticsearch-oss-7.10.2-1.x86_64:
/usr/share/elasticsearch/lib/log4j-api-2.11.1.jar /usr/share/elasticsearch/lib/log4j-core-2.11.1.jar
Note that according to Elastic, this version is not vulnerable thanks to the use of the Java Security Manager.
Thanks! Was there a public statement from Elastic to that effect, so that we can point users at it if they have questions?
At this point a lot of enterprises are ripping out or shutting down anything which can't be upgraded to Log4j 2.17.1, due in part to the mixed messages about which older versions are actually impacted and which workarounds can mitigate it. -- Jeremy Stanley
https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnera...