It looks like elasticsearch running on recent JVMs is not vulnerable to the issue, but this project does depend on log4j 2.11.1 directly, and it does tweak some security settings in order to use the Unsafe API. So it's definitely worthwhile to do some due diligence on the vulnerability and see if the dependency can be updated.

@alexklibisz FYI This issue has forced us onto ES 7.16.2. As I understand it the elastiknn version should match the ES version, so this indirectly impacts our ability to use Elastiknn.

I'll try to have a look at the open PRs for bumping to 7.16.x today.

Resolved by #333, #334, #335, #336