Security
Volver a Security Alert
- [LES] Elastic's Response to Log4j Exploit (CVE-2021-44228)
- ClamAV HFS+ Aviso de seguridad: CVE-2023-20032
- Dec 16 Liferay’s Update about Log4j vulnerabilities CVE-2021-4104, CVE-2021-44228 and CVE-2021-45046
- Dec 18 Liferay’s Update about Log4j CVE-2021-45105
- Delayed: Disabling TLS 1.0 for Inbound Traffic on Liferay Services and Websites
- Disabling TLS 1.0 for Inbound Traffic on Liferay Services and Websites
- Elasticsearch and Liferay Enterprise Search Security Advisory: 2018 November
- Elasticsearch and Liferay Enterprise Search Security Advisory: April 2, 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: April 28, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: April 7, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: August 23, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: August 5, 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: Dec 11, 2021 (Log4j2, CVE-2021-44228, CVE-2021-45046,CVE-2021-45105)
- Elasticsearch and Liferay Enterprise Search Security Advisory: February 2019
- Elasticsearch and Liferay Enterprise Search Security Advisory: January 15, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: January 16, 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: July 12, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: July 23, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: June 2, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: June 4, 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: March 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: March 9, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: Nov 12, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: October 2019
- Elasticsearch and Liferay Enterprise Search Security Advisory: October 22, 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: Sept 2, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: September 2, 2020
- Elastic Security Statement for CVE-2024-3094, xz versions 5.6.0 and 5.6.1
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-1364
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-23707
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-23708, CVE-2022-23709, CVE-2022-23710
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-23711
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-23713
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-38779
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-38900
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-1370
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-31414, CVE-2023-31415, CVE-2023-26486, CVE-2023-26487
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-31417
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-31418, CVE-2023-31419, CVE-2023-31422
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-46671, CVE-2023-46673
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-46675, CVE-2023-49921
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-12539
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-12556, CVE-2024-52974, CVE-2024-52980, CVE-2024-52981
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-23445, CVE-2024-37279, CVE-2024-37280, CVE-2024-23442, CVE-2024-23443, CVE-2024-2887, CVE-2024-37281, CVE-2024-37287, CVE-2024-23444
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-23446, CVE-2023-7024
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-23449
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-23450
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-37285, CVE-2024-37288
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-43706, CVE-2025-2135, CVE-2025-25012 (Kibana)
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-43709, CVE-2024-52973, CVE-2024-43710, CVE-2024-43707, CVE-2024-52972, CVE-2024-43708
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2025-25012
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2025-25014, CVE-2024-52979, CVE-2024-11390, CVE-2025-25016
- Elastic Stack and Liferay Enterprise Search Security Advisory: Security Statement for OpenSSL CVE-2022-3786 and CVE-2022-3602, OpenSSL version 3.0.7
- Elastic Stack and Liferay Enterprise Search Security Advisory: Security Statement for Oracle July Critical Patch Update CVE-2022-21540, CVE-2022-21541, CVE-2022-21549, CVE-2022-25647, CVE-2022-34169
- Elastic Stack and Liferay Enterprise Search Security Advisory: Security Statement regarding CVE-2022-1471
- Follow-Up Security Alert for LSV-412 and LSV-545
- Jenkins Security Advisory 2024-01-24: CVE-2024-23897
- Liferay Cloud Security Alert: June 2019
- Liferay Enterprise Search Support Alert: Action Required by June 24 2019
- Liferay SaaS Security Alert: March 2020
- Liferay Security Alert: 2018 August
- Liferay Security Alert: 2019 January
- Liferay Security Alert: 2019 June
- Liferay Security Alert: 2019 November
- Liferay Security Alert: 2019 October
- Liferay Security Alert: 2020 February
- Liferay Security Alert: 2020 July
- Liferay Security Alert: 2020 March
- Liferay Security Alert: 2020 May
- Liferay Security Alert: 2021 April
- Liferay Security Alert: 2022 April
- Liferay Security Alert: December 2018
- Liferay Security Alert for Liferay DXP
- Liferay’s Statement about CVE-2021-44228 (Log4j vulnerability)
- Liferay’s Statement about recent Log4j vulnerabilities
- Reminder: Follow-Up Security Alert for LSV-412 and LSV-545
- Spring4Shell and Spring Cloud Security Advisory
- TLS 1.0 Disabled for Inbound Traffic on Liferay Services and Websites
- Update: Log4j Security Advisory
[LES] Elastic's Response to Log4j Exploit (CVE-2021-44228)
Context
Elasticsearch and Liferay Enterprise Search Security Advisory: Dec 11, 2021 (CVE-2021-44228)
Elastic Software Implications
Log4j is used as a component of Elastic products to output log statements that help Elastic and our users to troubleshoot problems.
A security investigation to determine whether there was any impact to Elastic or our customers has been executed and we are centralising the most recent updates from Elastic into the following Security Announcement.
The following products are potentially affected - please see the relevant product specific section of the Security Announcement for more details:
- APM Java Agent - exposure to the Log4j 2 exploit (CVE-2021-44228) in certain conditions, mitigation requires config setting or upgrade to latest available version (1.28.1)
- Logstash - Log4j 2 (CVE-2021-44228) exposure to remote code execution on JDKs prior to 8u191. On newer versions of JDKs there is exposure to Denial of Service and information leakage. Requires JndiLookup class removal or update to Logstash version 6.8.21 or 7.16.1 when released on December 13th.
- Elasticsearch - Log4j 2 (CVE-2021-44228) no exposure to remote code execution for Elasticsearch 6 and 7, but potential exposure to information leakage, full mitigation requires config setting, or update to Elasticsearch version 6.8.21 or 7.16.1 when released on December 13th. Investigation into Elasticsearch 5 is ongoing.
We have validated that the vulnerability does not exist in the following Elastic products:
- APM Server
- Beats
- Cmd
- Elastic Agent
- Elastic Cloud Enterprise (ECE)*
- Elastic Cloud on Kubernetes (ECK)*
- Elastic Endgame
- Elastic Maps Service
- Endpoint Security
- Enterprise Search server
- Fleet Server
- Kibana
- Machine Learning
- Swiftype
*Orchestrated environments should be assessed for impact to deployed products.
Elasticsearch is a trademark of Elasticsearch BV, registered in the U.S. and in other countries / Trademarks / Terms / Privacy
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
On this page