Summary

We are aware of the Apache Log4j 2 vulnerability, referred to as "Log4Shell".

Seascape Flex uses Elasticsearch OSS version 7.16.3 (or newer), which is NOT affected by the Apache Log4j vulnerability (CVE-2021-44228 and CVE-2021-45046).

More information

A high severity vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub on December 9, 2021. The vulnerability impacts Apache Log4j 2 versions 2.0 to 2.14.1.

Elasticsearch, Logstash 7.16.3 and 6.8.23 are released, which upgrade log4j to 2.17.1. By default, Elasticsearch and Logstash have no known vulnerabilities to CVE-2021-44832.

Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31