Elastic (Elasticsearch / Kibana)implicithighCluster of 2 signals
Card #607 · Elastic (Elasticsearch / Kibana)

Vulnerable Apache Log4j versions bundled in Elasticsearch and Logstash

Security scans have identified CVE-2026-34477 and CVE-2026-34480 in bundled Log4j libraries within Elasticsearch 8.19.14 and Logstash. We need official guidance on remediation plans, available patches, or confirmation on whether these JARs can be safely upgraded to version 2.25.3/2.25.4.

Elastic (Elasticsearch / Kibana)Updated May 27, 20260.15
Pain score
0.15/ 1.00 · weighted product of four components
Reach0.32
distinct authors (log-normalized)
Recency1.00
freshness decay, half-life months
Engagement1.00
upvotes + comments, normalized
Monetization0.50
willingness-to-pay cues in evidence
§ Evidence — 2 verified quotes
Security scans have identified vulnerable Apache Log4j Core versions bundled with Elasticsearch 8.19.14 and Logstash on the host.
Forum·@sankalita··source ↗
The same CVE is also present in elasticsearch-log4j-8.19.15.jar
Forum·@Ben_Turman··source ↗

Comments are a Pro feature — join the conversation, share what you've shipped, hear what others are building.

Upgrade to Pro