Hello all,
As you may have seen recently, Log4j has a severe zero-day exploit
affecting many projects, including Elasticsearch. For anyone using
CirrusSearch or Semantic MediaWiki’s ElasticStore, here’s what you need to
know:
- If you are using JDK 11 or above, you’re not affected. ????
- If you are using the latest version of the Elasticsearch 6.x Docker
images, you’re not affected. This is because 6.6 uses JDK 11, 6.7 uses JDK
12, and 6.8 uses JDK 15. ????
- If you are using JDK 8 or under, you are likely affected. ???? There are a
few ways to fix this:
-- First, Elasticsearch 6.8.21 is being released to remedy this. Upgrading
to this version should resolve the issues even if you are using JDK 8 or
below.
-- If you are using Elasticsearch 6.5.4, 6.6.x, 6.7.x, or you are otherwise
unable to upgrade to the latest version of Elasticsearch 6.x, I strongly
recommend you try upgrading your JDK version to at least JDK 11 or upgrade
Elasticsearch to 6.8.21 when it comes out.
-- If you can’t upgrade your JDK or Elasticsearch, you can set the JVM
option Dlog4j2.formatMsgNoLookups=true
You may have seen information on the CirrusSearch extension page saying
CirrusSearch 6.5.4 only currently works with Elasticsearch 6.5.4. That is
not correct; CirrusSearch 6.5.4 works just fine with 6.8.20 (for instance,
Project Canasta uses the ES 6.8.20 Docker image) and the extension page has
been updated to reflect that.
For more information from Elastic themselves, please see this:
https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
Thanks,
Jeffrey
As you may have seen recently, Log4j has a severe zero-day exploit
affecting many projects, including Elasticsearch. For anyone using
CirrusSearch or Semantic MediaWiki’s ElasticStore, here’s what you need to
know:
- If you are using JDK 11 or above, you’re not affected. ????
- If you are using the latest version of the Elasticsearch 6.x Docker
images, you’re not affected. This is because 6.6 uses JDK 11, 6.7 uses JDK
12, and 6.8 uses JDK 15. ????
- If you are using JDK 8 or under, you are likely affected. ???? There are a
few ways to fix this:
-- First, Elasticsearch 6.8.21 is being released to remedy this. Upgrading
to this version should resolve the issues even if you are using JDK 8 or
below.
-- If you are using Elasticsearch 6.5.4, 6.6.x, 6.7.x, or you are otherwise
unable to upgrade to the latest version of Elasticsearch 6.x, I strongly
recommend you try upgrading your JDK version to at least JDK 11 or upgrade
Elasticsearch to 6.8.21 when it comes out.
-- If you can’t upgrade your JDK or Elasticsearch, you can set the JVM
option Dlog4j2.formatMsgNoLookups=true
You may have seen information on the CirrusSearch extension page saying
CirrusSearch 6.5.4 only currently works with Elasticsearch 6.5.4. That is
not correct; CirrusSearch 6.5.4 works just fine with 6.8.20 (for instance,
Project Canasta uses the ES 6.8.20 Docker image) and the extension page has
been updated to reflect that.
For more information from Elastic themselves, please see this:
https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
Thanks,
Jeffrey