<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Please see <a href="https://github.com/macports/macports-ports/pull/13331" class="">https://github.com/macports/macports-ports/pull/13331</a><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Dec 12, 2021, at 7:36 AM, Nils Breunese <<a href="mailto:nils@breun.nl" class="">nils@breun.nl</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta charset="UTF-8" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 24px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">2. elasticsearch 7.15.2_0 includes log4j-core-2.11.1.jar, which is a vulnerable version of Log4J 2.x</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 24px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 24px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><a href="https://github.com/elastic/elasticsearch/issues/81618" style="font-family: Helvetica; font-size: 24px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">https://github.com/elastic/elasticsearch/issues/81618</a><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 24px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class=""><span class="Apple-converted-space"> </span>says: "This can be mitigated for the time being by adding -Dlog4j2.formatMsgNoLookups=true to ES_JAVA_OPTS". I think I’d add -Dlog4j2.formatMsgNoLookups=true in /opt/local/etc/elasticsearch/jvm.options, or add ES_JAVA_OPTS="$ES_JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true" at the end of /opt/local/bin/elasticsearch-env.</span></div></blockquote></div><br class=""></body></html>