Rafael Corrêa Gomes

ElasticSearch Log4j – Magento 2

ElasticSearch Magento 2 Log4j

Since Dec 13, the issue with Log4j was highly covered by the media and using Magento 2 you probably use ElasticSearch 6 or 7. If you need more information on how to check Log4J in your server you check the previous article Adobe Commerce Log4j.

ElasticSearch version

To check your current ElasticSearch version, you need to run this command below.

curl -XGET 'http://localhost:9200'

You might receive an output like this below showing the version.

ElasticSearch version 6
ElasticSearch version

ElasticSearch upgraded version against Log4j

You have two main upgraded versions your need to look at, version 6 and version 7. The version depends on your current installation and the Magento 2 version.

If you have ElasticSearch 6 you need to have at least version 6.8.21 to avoid the vulnerability.

If you have ElasticSearch 7 you need to have at least version 7.16.1 to avoid the vulnerability.

Both versions will include these technical adjustments below.

  • Disable JNDI lookups via the log4j2.formatMsgNoLookups system property.
  • Patch log4j jar to remove the JndiLookup class from the classpath.

Thank you for reading this article, and don’t forget to share it to let everyone in your team know about how to quickly check it.

About me

Rafael Corrêa Gomes

Rafael Corrêa Gomes

Senior ecommerce developer and architect based in Montreal, Canada. With experience with saas, product and team management using Magento, Shopify, PHP, JavaScript and NodeJS.