Adobe is aware of the Apache log4j library vulnerability (CVE-2021-44228) and strongly encourages merchants to follow the guidelines detailed below.
Adobe Commerce on Cloud deployments
No additional steps are currently needed to protect your Adobe Commerce deployment. Our team has investigated potential impacts and has implemented remediations for Elasticsearch for the Pro and Starter environment services.
Adobe Commerce on-premises deployments
Merchants with on-premises deployments that use Elasticsearch should consult the following guidance:
For ongoing updates, please check here.
UPDATE 12.26.2021
In response to Log4J CVE-2021-45105 we have updated the deployed Elastic Search versions 6.x and 7.x for our Adobe Commerce Cloud to use log4J 2.17.
Starting Q1 2022, We are adding support for Elastic Search 7.16 and Open search 1.2 in all Q1 2022 releases (2.4.4, 2.4.3-p2,2.3.7-p3). In 2.4.4, Adobe Commerce hosted in the cloud will move to Open Search as the default Search engine hence Customers once upgraded to 2.4.4+ will need to use Open Search in place of Elastic Search. Adobe Commerce merchants hosted on-premise have the option to use either Elastic Search or Open Search as both will be supported by the Adobe Commerce application.