# Connect to your Zammad server
ssh myuser@myzammadserver -i ~/.ssh/mysshkey
# Go to Zammad folder
## create a file INSIDE the running elasticsearch docker container in /usr/share/elasticsearch/config/jvm.options.d/nolog4j0day.options
docker exec zammad_zammad-elasticsearch_1 bash -c "echo '-Dlog4j2.formatMsgNoLookups=true' > /usr/share/elasticsearch/config/jvm.options.d/nolog4j0day.options"
# restart ES Service
docker-compose stop zammad-elasticsearch
docker-compose start zammad-elasticsearch
## Verify that formatMsgNoLookups=true is in the output
ps auxfww | grep formatMsgNoLookups=true
The workaround is now included in the 7.16.1 release, packages and docker images already available:
Users may upgrade to Elasticsearch 7.16.1 27 or 6.8.21 16, which were released on December 13, 2021. These releases do not upgrade the Log4j package, but mitigate the vulnerability by setting the JVM option 2.3k -Dlog4j2.formatMsgNoLookups=true and remove the vulnerable JndiLookup class from the Log4j package.
but beware on that one:
Note: In both of these scenarios, some vulnerability scanners may continue to flag Elasticsearch in association with this vulnerability based on the Log4j version alone. However, any of the above mitigations sufficiently protect both remote code execution and information leakage.
The documentation and the supported ES versions are up to date and thus not lying to you.
We’re talking about ES security updates and you want to ignore Zammad security issues on that regard? Why not update to a current Zammad 5.0.3 to get the desired ES support and fix all known security issues?