Though lot of images on DockerHub are unaffected by the Log4j vulnerability. There is small set of images that was found to use log4j library in the docker images and these are the list of images that is right now on dockerhub and are known to be vulnerable. So unless an update is published, stop using the below images with immediate effect
- couchbase
- elasticsearch
- flink
- geonetwork
- lightstreamer
- logstash
- neo4j
- nuxeo
- solr
- sonarqube
- storm
- xwiki
This includes some of the most commonly used Docker images like elasticsearch, solr and sonarqube. If you are running any of your containerized apps using these images either you have to stop your apps or do the workarounds as noted in the below post.
As per Docker, they are still working with the verified publishers to update the images and patch the log4j version. It might be some time before the vulnerability is addressed in all the images on docker.
