Hi Team,
We have installed OpenSearch 1.2.2 Version recently and its still showing the log4j vulnerability scan.
For the remediation, May I know the next version would be helpful and when it can be live to use? Please advice!
Hello @Naga10 - we are working to release 1.2.3 to address CVE-2021-45105. We should know a target release date soon.
We will keep this post updated:
@kris are there also plans to update the Log4j implementation in the Logstash-OSS with Opensearch Plugin as well? Thanks.
Hello @John - even better news - Just confirmed with the team: We have already released logstash output plugin - Docker Hub
We have the Tarball install and not Docker. The plan is to migrate to docker but right now it is untested in our environment and we are just trying to keep up with the CVEs being published.
Working to get these out soon.
Very much appreciated.
OpenSearch 1.2.3 is now available:
1 Like
@kris Is Log4j issue has been remediated to OpenSearch 1.2.3 package? Is there any other packages are going o release? So that we can wait and use the latest one. pls advice
Hello @Naga10 - yes, here is the timeline of OpenSearch releases so far:
CVE-2021-44228 - update to Log4j 2.15.0 - OpenSearch 1.2.1 was released 12/11/2021
CVE-2021-45046 - update to Log4j 2.16.0 - OpenSearch 1.2.2 was released 12/16/2021
CVE-2021-45105 - update to Log4j 2.17.0 - OpenSearch 1.2.3 was released 12/22/2021
There is CVE-2021-44832 that has been identified with the recommendation to update to Log4j 2.17.1 - the team is currently evaluating this.
Hi @kris
Recently we have upgraded to opensearch-1.2.3 version. So it means, we need one more upgrade to Log4j 2.17.1 version once after the new release. is it?
There is a meeting tomorrow on this that will discuss log4j vulnerability, you can register for it here: Workshop: Migrate from Elasticsearch to OpenSearch