log4j2
library"Supported versions of Elasticsearch (6.8.9+, 7.8+) used with recent versions of the JDK (JDK9+) are not susceptible to either remote code execution or information leakage. This is due to Elasticsearch’s usage of the Java Security Manager. Most other versions (5.6.11+, 6.4.0+ and 7.0.0+) can be protected via a simple JVM property change."
To fix the issue automatically:
To fix the issue manually, in your Elasticsearch instance, proceed with one of the options below:
set the JVM property -Dlog4j2.formatMsgNoLookups=true
remove the JndiLookup.class
as instructed here.
See a sample adjustment in Figure 1-1 below.