Elasticsearch 7.10.x didn't receive the iteration that addressed recent JNDI related Log4j vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2021-44228) as 6.8.x did. Since this probably won't happen, we need to make sure that the newly deployed version isn't affected.
Mitigations:
- Update log4j version beyond 2.15
- disable message format lookups (-Dlog4j2.formatMsgNoLookups=true)
AC:
- Production cluster isn't susceptible to log4j JNDI attacks