What's the log4j version on R20211203- P2?

Amazon OpenSearch Service has released a critical service software update, R20211203-P2, that contains an updated version of Log4j2 in all regions. We strongly recommend that customers update their OpenSearch clusters to this release as soon as possible.

• I would highly recommend you to track/monitor the following AWS security bulletin for updates on this vulnerability’s impact on AWS services :

https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

I updated R20211203- P2. However It updated new weekness point log4j, 'CVE-2021-45105' 19/12/2021. Does R20211203- P2 resolve 'CVE-2021-45105'?

The R20211203- P2 will not protect from CVE-2021-45105. Probably this will in a next patch although the threat is a bit lower (only DDOS possibility under certain conditions).

I do not know the contents of the patch though. There is one version of log4j unaffected: 2.12.3 if they used that version the new CVE would also be covered. This version was release 2020-02-25 though and probably has other vuklnerabilities.

The only unaffected version for CVE-2021-45105 is log4j version 2.17 (and 2.12.3) which was released 18 dec 15:14. (source https://github.com/apache/logging-log4j2/tags hover over tag label)

The patch R20211203- P2 was suggested before 15 dec 07:43. (source https://stackoverflow.com/questions/70359982/were-running-elasticsearch-7-8-through-aws-opensearch-with-logging-turned-off)