You probably already have heard of the critical Log4J2 vulnerability which was disclosed a couple of days ago.
Search Guard solely depends on the Log4j2 component shipped by Elasticsearch. Thus, the vulnerability is only fixable by updating Elasticsearch or by applying the mitigations recommended by Elasticsearch:
Independently, we are doing our own security tests to double-check the recommendations by Elasticsearch. In the meantime, we are recommending to apply the mitigation of setting the JVM option
-Dlog4j2.formatMsgNoLookups=true in any case.
Please do not hesitate to contact us in case of any questions.
Search Guard (®) is an Elasticsearch plugin that offers encryption, authentication, and authorization.
Coded with love in Berlin, Denmark, Sweden, Italy, Ukraine and the US.
Search Guard is a trademark of floragunn GmbH, registered in the U.S. and in other countries.
Elasticsearch, Kibana, Logstash, and Beats are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.