You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@solr.apache.org by Reej Nayagam <re...@gmail.com> on 2021/12/12 02:51:21 UTC
Log4j vulnerability- Solr4 - urgent pls
Hi All,
In production we are using solr4 which uses log4j-1.2.17.jar.
Can someone say the mitigation option for solr4
Thanks
Reej
--
*Thanks,*
*Reej*
Re: Log4j vulnerability- Solr4 - urgent pls
Posted by Reej Nayagam <re...@gmail.com>.
Thank you for the reply.
*Thanks,*
*Reej*
On Sun, Dec 12, 2021 at 12:38 PM Walter Underwood <wu...@wunderwood.org>
wrote:
> Solr 4 does NOT have the vulnerability. You do not have to do anything.
>
> From the Solr Security page:
>
> 2021-12-10, Apache Solr affected by Apache Log4J CVE-2021-44228
>
> Severity: Critical
>
> Versions Affected: 7.4.0 to 7.7.3, 8.0.0 to 8.11.0
>
> https://solr.apache.org/security.html <
> https://solr.apache.org/security.html>
>
> Solr 4 is before Solr 7.4, so it is not affected by this problem.
>
> wunder
> Walter Underwood
> wunder@wunderwood.org
> http://observer.wunderwood.org/ (my blog)
>
> > On Dec 11, 2021, at 8:28 PM, Reej Nayagam <re...@gmail.com> wrote:
> >
> > Thank you for your reply.
> >
> > It mentions Dlog4j2 but with solr4 it is log4j1.2.17
> > Can we use this command
> >
> > - -*Dlog4j2*.formatMsgNoLookups=true
> >
> >
> > On Sun, 12 Dec 2021 at 12:03 PM, Raveendra Yerraguntla
> > <ra...@yahoo.com.invalid> wrote:
> >
> >>
> >> - -Dlog4j2.formatMsgNoLookups=true
> >>
> >>
> >> restart jvm with the above param and should work.
> >>
> >>
> >>
> >>
> >>
> >> On Saturday, December 11, 2021, 09:51:54 PM EST, Reej Nayagam <
> >> reejmca@gmail.com> wrote:
> >>
> >> Hi All,
> >>
> >> In production we are using solr4 which uses log4j-1.2.17.jar.
> >>
> >> Can someone say the mitigation option for solr4
> >>
> >> Thanks
> >> Reej
> >> --
> >> *Thanks,*
> >> *Reej*
> >>
> >
> > --
> > *Thanks,*
> > *Reej*
>
>
Re: Log4j vulnerability- Solr4 - urgent pls
Posted by Walter Underwood <wu...@wunderwood.org>.
Solr 4 does NOT have the vulnerability. You do not have to do anything.
From the Solr Security page:
2021-12-10, Apache Solr affected by Apache Log4J CVE-2021-44228
Severity: Critical
Versions Affected: 7.4.0 to 7.7.3, 8.0.0 to 8.11.0
https://solr.apache.org/security.html <https://solr.apache.org/security.html>
Solr 4 is before Solr 7.4, so it is not affected by this problem.
wunder
Walter Underwood
wunder@wunderwood.org
http://observer.wunderwood.org/ (my blog)
> On Dec 11, 2021, at 8:28 PM, Reej Nayagam <re...@gmail.com> wrote:
>
> Thank you for your reply.
>
> It mentions Dlog4j2 but with solr4 it is log4j1.2.17
> Can we use this command
>
> - -*Dlog4j2*.formatMsgNoLookups=true
>
>
> On Sun, 12 Dec 2021 at 12:03 PM, Raveendra Yerraguntla
> <ra...@yahoo.com.invalid> wrote:
>
>>
>> - -Dlog4j2.formatMsgNoLookups=true
>>
>>
>> restart jvm with the above param and should work.
>>
>>
>>
>>
>>
>> On Saturday, December 11, 2021, 09:51:54 PM EST, Reej Nayagam <
>> reejmca@gmail.com> wrote:
>>
>> Hi All,
>>
>> In production we are using solr4 which uses log4j-1.2.17.jar.
>>
>> Can someone say the mitigation option for solr4
>>
>> Thanks
>> Reej
>> --
>> *Thanks,*
>> *Reej*
>>
>
> --
> *Thanks,*
> *Reej*
Re: Log4j vulnerability- Solr4 - urgent pls
Posted by Reej Nayagam <re...@gmail.com>.
Thank you for your reply.
It mentions Dlog4j2 but with solr4 it is log4j1.2.17
Can we use this command
- -*Dlog4j2*.formatMsgNoLookups=true
On Sun, 12 Dec 2021 at 12:03 PM, Raveendra Yerraguntla
<ra...@yahoo.com.invalid> wrote:
>
> - -Dlog4j2.formatMsgNoLookups=true
>
>
> restart jvm with the above param and should work.
>
>
>
>
>
> On Saturday, December 11, 2021, 09:51:54 PM EST, Reej Nayagam <
> reejmca@gmail.com> wrote:
>
> Hi All,
>
> In production we are using solr4 which uses log4j-1.2.17.jar.
>
> Can someone say the mitigation option for solr4
>
> Thanks
> Reej
> --
> *Thanks,*
> *Reej*
>
--
*Thanks,*
*Reej*
Re: Log4j vulnerability- Solr4 - urgent pls
Posted by Raveendra Yerraguntla <ra...@gmail.com>.
For Solr 4, you don’t need this
Please see other replies
Sent from my iPhone
> On Dec 12, 2021, at 12:50 AM, Reej Nayagam <re...@gmail.com> wrote:
>
> Thanks for the reply.
>
> *REgards,*
> *Reej*
>
>
>> On Sun, Dec 12, 2021 at 12:28 PM Rahul Goswami <ra...@gmail.com>
>> wrote:
>>
>> In case of solr4 which uses log4j-1.2.17.jar, the
>> "log4j2.formatMsgNoLookups=true" system property is neither required nor
>> applicable. In fact, the property was only introduced in log4j-2.10 (refer
>> to the JIRA below). So not just Solr, but any Java application using 2<=
>> log4j <2.10 will not be helped by this system property.
>>
>> https://issues.apache.org/jira/browse/LOG4J2-2109
>>
>> On Sat, Dec 11, 2021 at 11:04 PM Raveendra Yerraguntla
>> <ra...@yahoo.com.invalid> wrote:
>>
>>>
>>> - -Dlog4j2.formatMsgNoLookups=true
>>>
>>>
>>> restart jvm with the above param and should work.
>>>
>>>
>>>
>>>
>>>
>>> On Saturday, December 11, 2021, 09:51:54 PM EST, Reej Nayagam <
>>> reejmca@gmail.com> wrote:
>>>
>>> Hi All,
>>>
>>> In production we are using solr4 which uses log4j-1.2.17.jar.
>>>
>>> Can someone say the mitigation option for solr4
>>>
>>> Thanks
>>> Reej
>>> --
>>> *Thanks,*
>>> *Reej*
>>>
>>
Re: Log4j vulnerability- Solr4 - urgent pls
Posted by Reej Nayagam <re...@gmail.com>.
Thanks for the reply.
*REgards,*
*Reej*
On Sun, Dec 12, 2021 at 12:28 PM Rahul Goswami <ra...@gmail.com>
wrote:
> In case of solr4 which uses log4j-1.2.17.jar, the
> "log4j2.formatMsgNoLookups=true" system property is neither required nor
> applicable. In fact, the property was only introduced in log4j-2.10 (refer
> to the JIRA below). So not just Solr, but any Java application using 2<=
> log4j <2.10 will not be helped by this system property.
>
> https://issues.apache.org/jira/browse/LOG4J2-2109
>
> On Sat, Dec 11, 2021 at 11:04 PM Raveendra Yerraguntla
> <ra...@yahoo.com.invalid> wrote:
>
> >
> > - -Dlog4j2.formatMsgNoLookups=true
> >
> >
> > restart jvm with the above param and should work.
> >
> >
> >
> >
> >
> > On Saturday, December 11, 2021, 09:51:54 PM EST, Reej Nayagam <
> > reejmca@gmail.com> wrote:
> >
> > Hi All,
> >
> > In production we are using solr4 which uses log4j-1.2.17.jar.
> >
> > Can someone say the mitigation option for solr4
> >
> > Thanks
> > Reej
> > --
> > *Thanks,*
> > *Reej*
> >
>
Re: Log4j vulnerability- Solr4 - urgent pls
Posted by Rahul Goswami <ra...@gmail.com>.
In case of solr4 which uses log4j-1.2.17.jar, the
"log4j2.formatMsgNoLookups=true" system property is neither required nor
applicable. In fact, the property was only introduced in log4j-2.10 (refer
to the JIRA below). So not just Solr, but any Java application using 2<=
log4j <2.10 will not be helped by this system property.
https://issues.apache.org/jira/browse/LOG4J2-2109
On Sat, Dec 11, 2021 at 11:04 PM Raveendra Yerraguntla
<ra...@yahoo.com.invalid> wrote:
>
> - -Dlog4j2.formatMsgNoLookups=true
>
>
> restart jvm with the above param and should work.
>
>
>
>
>
> On Saturday, December 11, 2021, 09:51:54 PM EST, Reej Nayagam <
> reejmca@gmail.com> wrote:
>
> Hi All,
>
> In production we are using solr4 which uses log4j-1.2.17.jar.
>
> Can someone say the mitigation option for solr4
>
> Thanks
> Reej
> --
> *Thanks,*
> *Reej*
>
Re: Log4j vulnerability- Solr4 - urgent pls
Posted by Raveendra Yerraguntla <ra...@yahoo.com.INVALID>.
- -Dlog4j2.formatMsgNoLookups=true
restart jvm with the above param and should work.
On Saturday, December 11, 2021, 09:51:54 PM EST, Reej Nayagam <re...@gmail.com> wrote:
Hi All,
In production we are using solr4 which uses log4j-1.2.17.jar.
Can someone say the mitigation option for solr4
Thanks
Reej
--
*Thanks,*
*Reej*
Re: Log4j vulnerability- Solr4 - urgent pls
Posted by Rahul Goswami <ra...@gmail.com>.
As pointed out by the author of log4j 1.x, the library is not susceptible
to this attack the way log4j2 is.
https://github.com/apache/logging-log4j2/pull/608#issuecomment-991380319
So you should be good.
Rahul
On Sat, Dec 11, 2021 at 9:51 PM Reej Nayagam <re...@gmail.com> wrote:
> Hi All,
>
> In production we are using solr4 which uses log4j-1.2.17.jar.
>
> Can someone say the mitigation option for solr4
>
> Thanks
> Reej
> --
> *Thanks,*
> *Reej*
>