We are using Elasticsearch 7.14.1. With this version we have log4j-api-2.11.1.jar and log4j-core-2.11.1.jar, being shipped to customers. Apart from the above mentioned workaround and possible fixes, is it possible to simply replace log4j-api-2.11.1.jar with log4j-api-2.16.0.jar and log4j-core-2.11.1.jar with log4j-core-2.16.0.jar to completely remove the vulnerable jar file? Would you recommend that also as one fix apart from the above workarounds ? This is because customers are concerned of having some vulnerable components on their systems and are more interested in removing the problem itself(here the log4j 2.11 jar), rather than having some workaround or fixes with the vulnerable component.

Log4j-core-2.16.0.jar Download