Checking to make sure - have all the repositories been updated as well? Yum, Apt, Dockerhub etc…
i’m wondering the same… we’re working on upgrading to a docker based opensearch system but still have debian package based open distro cluster out there… could really use a open distro debian package release for this vuln
The Open Distro deb and rpm packages are built on top of the upstream Elasticsearch deb and rpm packages, and those upstream packages are what contains the Log4j2 jars. So we’ve been looking really hard at what the options are for distributing a release that contains a fix, and there are fewer options here than there are for the .tgz and Docker builds.
Right now it looks like we’d need to develop a deb & rpm packaging process more or less from scratch, and doing that in a way that retains backward compatibility and upgradeability for existing users is underway and will likely take several weeks of development.
If you’re using Open Distro < 1.13.2 or the Open Distro 1.13.2 deb/rpm packages, please apply one of the mitigations from the Log4j2 website in the section beginning “For those who cannot upgrade to 2.15.0…”. All users can and should do this immediately, while we work to create deb/rpm packages that have at least one of these mitigations built-in by default.
HI @daleo , Open Distro has historically always applied security fixes to the latest version. If you are unable for any reason to upgrade to version 1.13.3, please apply one of the mitigations from the Log4j2 website in the section beginning “For those who cannot upgrade to 2.15.0…”.