Hi,
May I please confirm that adding the JVM option -Dlog4j2.formatMsgNoLookups=true to Elastic Search installations to address the recently reported log4j vulnerability is an acceptable immediate/short term solution?
Gellynck Jens [SLC] Answered question 13th December 2021
An official Skyline blog post has been published: responding to log4shell vulnerability
Gellynck Jens [SLC] Posted new comment 21st December 2021
Thanks!
Best Regards
Jörg
Another way to mitigate the vulnerabilities is to update your elasticsearch version, more information can be found here (it’s also linked in the article above): https://community.dataminer.services/documentation/upgrading-elasticsearch-from-one-minor-version-to-another/
To add to the context of this question, we are aware that there are multiple users of DataMiner who have raised questions regarding this security vulnerability for both DataMiner 9.6 and 10.1 in their production deployments. More info regarding the vulnerability found here https://nvd.nist.gov/vuln/detail/CVE-2021-44228.
Some guidance of the applicability of this security vulnerability to DataMiner infrastructure (core software and any other third-party software e.g.: databases MSSQL, ES, Cassandra, etc) is requested.