## Security

### Elasticsearch 6.8.18

Updated Elasticsearch from 6.8.18 to 6.8.21 to resolve concerns regarding CVE-2021-44228 (Log4j remote code execution). [Elastic has stated](https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476) "Elasticsearch [is] not susceptible to remote code execution with this vulnerability". In the 6.8.21 release, Elastic has disabled JNDI lookups by setting `log4j2.formatMsgNoLookups` to `true` and by patching log4j to remove the `JndiLookup` class entirely.

### Redis 5.0.14

Updated Redis from 5.0.7 to 5.0.14 to resolve the following CVEs:

* CVE-2021-41099
* CVE-2021-32762
* CVE-2021-32687
* CVE-2021-32675
* CVE-2021-32672
* CVE-2021-32628
* CVE-2021-32627
* CVE-2021-32626
* CVE-2021-32761
* CVE-2021-21309

### OpenJDK 11.0.13+8

Updated OpenJDK from 11.0.11+7 to 11.0.13+8 to resolve the following CVEs:

* CVE-2021-35550
* CVE-2021-35565
* CVE-2021-35556
* CVE-2021-35559
* CVE-2021-35561
* CVE-2021-35564
* CVE-2021-35567
* CVE-2021-35578
* CVE-2021-35586
* CVE-2021-35603

## Packaging

### RHEL 8 Build ID

Chef Infra Server packages no longer install a build ID file that would prevent installing other Chef packages such as Infra Client.