From 21c7058d6b9783f4232606142ea818f122e4e4ea Mon Sep 17 00:00:00 2001 From: Paul McCann Date: Wed, 14 Jan 2026 10:52:05 +0000 Subject: [PATCH] docs: update security url to link to central policy --- docs/reference/frequently-asked-questions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reference/frequently-asked-questions.md b/docs/reference/frequently-asked-questions.md index 8d75963445..350e46c4e8 100644 --- a/docs/reference/frequently-asked-questions.md +++ b/docs/reference/frequently-asked-questions.md @@ -63,5 +63,5 @@ You can use the [public API](/reference/public-api.md) to create custom spans an ## The Elastic APM Java Agent is not using the latest log4j2 version. Is it still safe? [faq-log4j2-security] -Yes, the log4j version used contains backports for all known security vulnerabilities, including log4shell. More info on [log4j2’s security page](https://logging.apache.org/log4j/2.x/security.md). As the Elastic APM Java Agent still supports Java 7, we can’t update beyond log4j 2.12.x. Some security tools may still falsely flag the log4j2 version that the Elastic APM Java Agent uses as vulnerable. For these cases we publish a dedicated build which ships the latest log4j2 dependency, which however therefore requires at least Java 8. You can find this version on Maven Central linked at our [setup documentation](/reference/setup-javaagent.md#setup-javaagent-get-agent). If there’s a new vulnerability that’s not yet patched in the latest version of the Elastic APM Java Agent, please report it as described in [https://www.elastic.co/product-security](https://www.elastic.co/product-security). +Yes, the log4j version used contains backports for all known security vulnerabilities, including log4shell. More info on [log4j2’s security page](https://logging.apache.org/log4j/2.x/security.md). As the Elastic APM Java Agent still supports Java 7, we can’t update beyond log4j 2.12.x. Some security tools may still falsely flag the log4j2 version that the Elastic APM Java Agent uses as vulnerable. For these cases we publish a dedicated build which ships the latest log4j2 dependency, which however therefore requires at least Java 8. You can find this version on Maven Central linked at our [setup documentation](/reference/setup-javaagent.md#setup-javaagent-get-agent). If there’s a new vulnerability that’s not yet patched in the latest version of the Elastic APM Java Agent, please report it as described in [https://github.com/elastic/.github/blob/main/SECURITY.md](https://github.com/elastic/.github/blob/main/SECURITY.md).