It’s a Java framework used by developers to keep records of activity within an application. Although, the hacker has been using it to exploit the flaw is strategically sends a malicious code string that eventually gets logged by Log4j version 2.0 or higher (CVE-2021-44228). The exploit lets an attacker load arbitrary Java code on a server, allowing them to take control.

Magento Log4j

When you have Adobe Commerce installation the most possible software that might bring this vulnerability is ElasticSearch. If you have it in a different server or container you might check that server first.

In order to keep your server updated you should keep your Magento updated too, the last stable version of Magento is compatible with the lasted version of the server packages too, like PHP, ElasticSearch, Ect.

If you have hosting support, for example, MageMojo, Ecritel, WebScale, Nexcess or, contact them as soon as possible. Having your own server on AWS or Digital Ocean, make sure you have your server has updated packages. The main updated package that you need to have is ElasticSearch.


If you use ElasticSearch 5, 6 or 7 you need to update it to use the version launched today (Dec 13, 2021). To mitigate attacks during the time you’re upgrading your ElasticSearch, you need to set the JVM option below.