# Security

## Summary

We are aware of the [Apache Log4j 2](https://logging.apache.org/log4j/2.x/) vulnerability, referred to as "Log4Shell".

Seascape Flex uses Elasticsearch OSS version 7.16.3 (or newer), which is **NOT affected** by the Apache Log4j vulnerability ([CVE-2021-44228 and CVE-2021-45046](https://logging.apache.org/log4j/2.x/security.html)).

## More information

A high severity vulnerability ([CVE-2021-44228](https://logging.apache.org/log4j/2.x/security.html)) impacting multiple versions of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub on December 9, 2021. The vulnerability impacts Apache Log4j 2 versions 2.0 to 2.14.1.

> Elasticsearch, Logstash 7.16.3 and 6.8.23 are released, which upgrade log4j to 2.17.1. By default, Elasticsearch and Logstash have no known vulnerabilities to CVE-2021-44832.

[Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31](https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476)