Page MenuHomePhabricator

Address "Log4shell" vulnerability in Elasticsearch 7.10.2
Closed, ResolvedPublic


Elasticsearch 7.10.x didn't receive the iteration that addressed recent JNDI related Log4j vulnerability ( as 6.8.x did. Since this probably won't happen, we need to make sure that the newly deployed version isn't affected.


  • Update log4j version beyond 2.15
  • disable message format lookups (-Dlog4j2.formatMsgNoLookups=true)


  • Production cluster isn't susceptible to log4j JNDI attacks

Event Timeline

Based on , RCE type vulnerability doesn't apply to Elasticsearch thanks to use of SecurityManager, but since our instances are using JRE8, there are some vulnerabilities still, that can be fixed by using mentioned system property.