Log4j Patch for CVE-2021-44228

Update 2021-12-22: OpenSearch 1.2.3 is now available - please see Log4j Patch for CVE-2021-45105

Update 2021-12-16: OpenSearch 1.2.2 now available - please see: Log4j Patch for CVE-2021-45046

Update 2021-12-15: OpenSearch 1.2.2 is in progress which addresses CVE-2021-45046. See the updated blog post for more info.

Update 2021-12-11: OpenSearch 1.2.1 has been released.

A security issue was recently disclosed (CVE-2021-44228) affecting the broadly-used Apache Log4j library. Software in the OpenSearch project includes versions of Log4j which are referenced in this CVE. The team is working to has upgraded the Log4j version in OpenSearch to 2.15.0 as recommended by the advisory.

All users should upgrade their OpenSearch clusters to this new version.

Further updates will come on this thread - please stay tuned for further details.

4 Likes

Update: The mitigations are in place for OpenSearch 1.2.0 + Open Distro 1.13.2. A build has been created and the team has kicked off our final round of performance testing. This testing takes approximately 7-8 hours to run. The team will let this run over night and is reconvening in the morning (2021/12/11) to review the data and, assuming no issues, kick off the distribution.

3 Likes

OpenSearch 1.2.1 is out now! - information available here:

OpenSearch 1.2.2 now available - please see: Log4j Patch for CVE-2021-45046