Significant security vulnerability discovered in Log4j

Steven Smith steve.t.smith at
Mon Dec 13 03:43:56 UTC 2021

Please see

> On Dec 12, 2021, at 7:36 AM, Nils Breunese <nils at> wrote:
> 2. elasticsearch 7.15.2_0 includes log4j-core-2.11.1.jar, which is a vulnerable version of Log4J 2.x
> <> says: "This can be mitigated for the time being by adding -Dlog4j2.formatMsgNoLookups=true to ES_JAVA_OPTS". I think I’d add -Dlog4j2.formatMsgNoLookups=true in /opt/local/etc/elasticsearch/jvm.options, or add ES_JAVA_OPTS="$ES_JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true" at the end of /opt/local/bin/elasticsearch-env.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3898 bytes
Desc: not available
URL: <>

More information about the macports-dev mailing list