Open Distro 1.13.3 is an important security update. You can get it now on the download page. This version contains a patch for the recently published security notice (CVE-2021-44228) which affects the broadly-used Apache Log4j library used in Open Distro. While, at time of writing, the team has been unable to reproduce in Open Distro the remote code execution (RCE) as described in this issue, its severity is such that all users should take mitigation measures. As recommended by the advisory, the team has released Open Distro 1.13.3, which removes the JndiLookup class from the Log4j classpath. For those who cannot upgrade to 1.13.3, the Log4j website outlines additional mitigation options.

Update Dec 14, 2021: Open Distro 1.13.3 is not susceptible to CVE-2021-45046 as the JndiLookup mitigation resolves both this and the original security issue.