Hello all,

As you may have seen recently, Log4j has a severe zero-day exploit affecting many projects, including Elasticsearch. For anyone using CirrusSearch or Semantic MediaWiki’s ElasticStore, here’s what you need to know:

- If you are using JDK 11 or above, you’re not affected. 😊
- If you are using the latest version of the Elasticsearch 6.x Docker images, you’re not affected. This is because 6.6 uses JDK 11, 6.7 uses JDK 12, and 6.8 uses JDK 15. 😊
- If you are using JDK 8 or under, you are likely affected. 😭 There are a few ways to fix this:
-- First, Elasticsearch 6.8.21 is being released to remedy this. Upgrading to this version should resolve the issues even if you are using JDK 8 or below.
-- If you are using Elasticsearch 6.5.4, 6.6.x, 6.7.x, or you are otherwise unable to upgrade to the latest version of Elasticsearch 6.x, I strongly recommend you try upgrading your JDK version to at least JDK 11 or upgrade Elasticsearch to 6.8.21 when it comes out.
-- If you can’t upgrade your JDK or Elasticsearch, you can set the JVM option Dlog4j2.formatMsgNoLookups=true

You may have seen information on the CirrusSearch extension page saying CirrusSearch 6.5.4 only currently works with Elasticsearch 6.5.4. That is not correct; CirrusSearch 6.5.4 works just fine with 6.8.20 (for instance, Project Canasta uses the ES 6.8.20 Docker image) and the extension page has been updated to reflect that.

For more information from Elastic themselves, please see this: 
https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

Thanks,
Jeffrey