Additional CVE-2021-44228 (Log4j) Elasticsearch patching
Incident Report for Aptible
While we don't have any reason to believe we're vulnerable, out of an abundance of caution in response to CVE-2021-45046 [0], we're updating all Elasticsearch databases using version 5.6+ to ensure that the affected JndiLookup class is removed. This is in addition to setting "log4j2.formatMsgNoLookups=true", which was complete on December 11. This update will require us to restart the databases, which will result in up to 90 seconds of downtime.

For Elasticsearch versions prior to 5.6, this class has already been removed, as this is the only available mitigation option.

Posted Dec 16, 2021 - 08:21 EST
This incident affected: Aptible Deploy.