Hi we did a check. Only 7.16.1 and 6.8.21 and above mitigates the attack. What's the current version that ClearML is using?
Hi SubstantialElk6 , reading ElasticSearch's summary, it seems to me like they state that:
[Original post] CVE-2021-44228... Supported versions of Elasticsearch (6.8.9+, 7.8+) used with recent versions of the JDK (JDK9+) are not susceptible to either remote code execution or information leakage AND [Update December 15] CVE-2021-45046 ... Our guidance for Elasticsearch, APM Java Agent, and Logstash are unchanged by this new vulnerabilityAnd also that:
[Update December 17] The 7.16.1 and 6.8.21 releases of Elasticsearch and Logstash fully mitigate CVE-2021-44228 and CVE-2021-45046...
As stated there:We've confirmed that the Security Manager mitigates the remote code execution attack in Elasticsearch 6 and 7;
Which basically means ClearML-Server is not affected. We will include the -Dlog4j2.formatMsgNoLookups=true
JVM flag (just to be on the safe side) in the coming release (and users can also do it right now in their own docker-compose, of course)