Card #607 · Elastic (Elasticsearch / Kibana)
Vulnerable Apache Log4j versions bundled in Elasticsearch and Logstash
Security scans have identified CVE-2026-34477 and CVE-2026-34480 in bundled Log4j libraries within Elasticsearch 8.19.14 and Logstash. We need official guidance on remediation plans, available patches, or confirmation on whether these JARs can be safely upgraded to version 2.25.3/2.25.4.
Pain score
0.15/ 1.00 · weighted product of four components
Reach0.32distinct authors (log-normalized)
Recency1.00freshness decay, half-life months
Engagement1.00upvotes + comments, normalized
Monetization0.50willingness-to-pay cues in evidence
§ Evidence — 2 verified quotes
Security scans have identified vulnerable Apache Log4j Core versions bundled with Elasticsearch 8.19.14 and Logstash on the host.
The same CVE is also present in elasticsearch-log4j-8.19.15.jar
Comments are a Pro feature — join the conversation, share what you've shipped, hear what others are building.
Upgrade to Pro