Update 2021-12-22: OpenSearch 1.2.3 is now available - please see Log4j Patch for CVE-2021-45105
Update 2021-12-16: OpenSearch 1.2.2 now available - please see: Log4j Patch for CVE-2021-45046
Update 2021-12-15: OpenSearch 1.2.2 is in progress which addresses CVE-2021-45046. See the updated blog post for more info.
Update 2021-12-11: OpenSearch 1.2.1 has been released.
A security issue was recently disclosed (CVE-2021-44228) affecting the broadly-used Apache Log4j library. Software in the OpenSearch project includes versions of Log4j which are referenced in this CVE. The team
is working to has upgraded the Log4j version in OpenSearch to 2.15.0 as recommended by the advisory.
All users should upgrade their OpenSearch clusters to this new version.
Further updates will come on this thread - please stay tuned for further details.