Update your clusters to 1.2.3
CVE-2021-45105 for Log4j was issued after the release of OpenSearch 1.2.2. This CVE advises upgrading to Log4j 2.17.0. While there has been no observed reproduction of the issue described in CVE-2021-45105 in OpenSearch, we have released OpenSearch 1.2.3 which updates Log4j to version 2.17.0.
In addition to OpenSearch, additional artifacts were released with Log4j 2.17.0 updates including:
- Data Prepper 1.2.1, which updates Log4j to version 2.17.0.
- Open source Logstash 7.16.2 with opensearch-output plugin, which includes a fix for CVE-2021-45105 provided by the maintainers of Logstash.
You can get OpenSearch 1.2.3 and other updated artifacts on the downloads page.
Do you have questions or feedback?
If you’re interested in learning more, have a specific question, or just want to provide feedback and thoughts, please visit OpenSearch.org, open an issue on GitHub, or post in the forums. There are also regular Community Meetings that include progress updates at every session and include time for Q&A.
