- Newest
- Most votes
- Most comments
Amazon OpenSearch Service has released a critical service software update, R20211203-P2, that contains an updated version of Log4j2 in all regions. We strongly recommend that customers update their OpenSearch clusters to this release as soon as possible.
- I would highly recommend you to track/monitor the following AWS security bulletin for updates on this vulnerability’s impact on AWS services :
https://aws.amazon.com/security/security-bulletins/AWS-2021-006/
I updated R20211203- P2. However It updated new weekness point log4j, 'CVE-2021-45105' 19/12/2021. Does R20211203- P2 resolve 'CVE-2021-45105'?
The R20211203- P2 will not protect from CVE-2021-45105. Probably this will in a next patch although the threat is a bit lower (only DDOS possibility under certain conditions).
I do not know the contents of the patch though. There is one version of log4j unaffected: 2.12.3 if they used that version the new CVE would also be covered. This version was release 2020-02-25 though and probably has other vuklnerabilities.
The only unaffected version for CVE-2021-45105 is log4j version 2.17 (and 2.12.3) which was released 18 dec 15:14. (source https://github.com/apache/logging-log4j2/tags hover over tag label)
The patch R20211203- P2 was suggested before 15 dec 07:43. (source https://stackoverflow.com/questions/70359982/were-running-elasticsearch-7-8-through-aws-opensearch-with-logging-turned-off)
Relevant content
- Accepted Answerasked 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 23 days ago
Could not find any version number of log4j https://stackoverflow.com/questions/70359982/were-running-elasticsearch-7-8-through-aws-opensearch-with-logging-turned-off
An updated version at least https://aws.amazon.com/security/security-bulletins/AWS-2021-006/