Apologies if this is the wrong place but I need to find an answer. I have noticed that LME uses log4j-core-2.11.1.jar located elasticsearch/lib/ and would like to find out how to mitigate the Log4shell vulnerability on this platform.
Please could you publish the current threat to the LME product stack and detail how to mitigate the vulnerability.

Regards

Adam

Hi Adam,

The change in #115 resolves the Log4j vulnerability tracked as CVE-2021-44228 and discussed in #114 by updating to the latest supported version of Elastic, where the issue has been addressed for both Elasticsearch and Logstash. Further information on the changes made by Elastic to address this is available here:
https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

Thanks,
Duncan

Closing this as it's been resolved by the update to Elastic 7.16.3.