What's the log4j version on R20211203- P2?

0

What's the log4j version on R20211203- P2 (today, 20-Dec-2021)?

asked 2 years ago461 views
3 Answers
0

Amazon OpenSearch Service has released a critical service software update, R20211203-P2, that contains an updated version of Log4j2 in all regions. We strongly recommend that customers update their OpenSearch clusters to this release as soon as possible.

  • I would highly recommend you to track/monitor the following AWS security bulletin for updates on this vulnerability’s impact on AWS services :

https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

AWS
syumaK
answered 2 years ago
AWS
EXPERT
reviewed 2 years ago
0

I updated R20211203- P2. However It updated new weekness point log4j, 'CVE-2021-45105' 19/12/2021. Does R20211203- P2 resolve 'CVE-2021-45105'?

answered 2 years ago
0

The R20211203- P2 will not protect from CVE-2021-45105. Probably this will in a next patch although the threat is a bit lower (only DDOS possibility under certain conditions).

I do not know the contents of the patch though. There is one version of log4j unaffected: 2.12.3 if they used that version the new CVE would also be covered. This version was release 2020-02-25 though and probably has other vuklnerabilities.

The only unaffected version for CVE-2021-45105 is log4j version 2.17 (and 2.12.3) which was released 18 dec 15:14. (source https://github.com/apache/logging-log4j2/tags hover over tag label)

The patch R20211203- P2 was suggested before 15 dec 07:43. (source https://stackoverflow.com/questions/70359982/were-running-elasticsearch-7-8-through-aws-opensearch-with-logging-turned-off)

profile picture
JaccoPK
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions