You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@solr.apache.org by Walter Underwood <wu...@wunderwood.org> on 2021/12/10 18:44:14 UTC
Solr and CVE-2021-44228
Does all Solr logging go through slf4j? If so, that should protect against this vulnerability.
If not, who has tested Solr with log4j 2.15.1?
We are running 8.8.2.
wunder
Walter Underwood
wunder@wunderwood.org
http://observer.wunderwood.org/ (my blog)
Re: Solr and CVE-2021-44228
Posted by Mike Drob <md...@mdrob.com>.
Thanks again!
I also added more detail on the impact to log4j 1 to the announcement text
On Fri, Dec 10, 2021 at 4:32 PM Andy C <an...@gmail.com> wrote:
> Mike,
>
> I see that the "Versions Affected" statement has been updated, but further
> down it still states "Apache Solr releases prior to 7.0 (i.e. all Solr 5
> and Solr 6 releases) use log4j 1.2.17".
>
> 7.0 should be updated to 7.4.
>
> - Andy -
>
> On Fri, Dec 10, 2021 at 5:10 PM Mike Drob <md...@mdrob.com> wrote:
>
> > Andy - you are correct, we will update the notice on the site. Thank you
> > for checking the details.
> >
> > On Fri, Dec 10, 2021 at 4:08 PM Andy C <an...@gmail.com> wrote:
> >
> > > The statement on the https://solr.apache.org/security.html page states
> > > that
> > > all 7.X and all 8.X versions are vulnerable, however looking at my
> 7.3.1
> > > Solr instance I am still finding the 1.2.17 version of the log4j jar.
> > >
> > > I found https://issues.apache.org/jira/browse/SOLR-7887 which
> indicates
> > > that the migration to log4j2 occurred with the 7.4 release.
> > >
> > > So I would think that the 7.0 - 7.3.1 releases would be in the same
> > > situation as the pre 7.0 releases.
> > >
> > > Is this correct?
> > >
> > > - Andy -
> > >
> > > On Fri, Dec 10, 2021 at 4:32 PM Mike Drob <md...@mdrob.com> wrote:
> > >
> > > > If you are opting in to using a lookup capable appender then you are
> > > > vulnerable. I don’t have a POC for testing it, but generally you’d
> only
> > > be
> > > > affected if you’re using this functionality explicitly
> > > >
> > > > On Fri, Dec 10, 2021 at 3:21 PM mtn search <se...@gmail.com>
> > wrote:
> > > >
> > > > > Thanks for the information Mike!
> > > > >
> > > > > I noticed that on https://solr.apache.org/security.html it lists
> the
> > > > > following statement for Solr releases prior to 7:
> > > > >
> > > > > Apache Solr releases prior to 7.0 (i.e. all Solr 5 and Solr 6
> > releases)
> > > > use
> > > > > log4j 1.2.17 which may be vulnerable for installations using
> > > non-default
> > > > > logging configurations. To determine if you are vulnerable please
> > > consult
> > > > > the Log4J security page.
> > > > >
> > > > > I am working with Solr 6.4.2. I referenced the Log4J security
> page (
> > > > > https://logging.apache.org/log4j/2.x/security.html ) and did not
> > see a
> > > > > means to verify whether our 1.2 log4j configuration is vulnerable.
> > Any
> > > > > tips on doing this, or other helpful links?
> > > > >
> > > > > Thanks,
> > > > > Matt
> > > > >
> > > > >
> > > > > On Fri, Dec 10, 2021 at 1:22 PM Rahul Goswami <
> rahul196452@gmail.com
> > >
> > > > > wrote:
> > > > >
> > > > > > In addition to the mitigation strategies mentioned on the Solr
> > page,
> > > > the
> > > > > > below blog post indicates that you should be protected if you are
> > > using
> > > > > > Java 11.0.1 and up
> > > > > >
> > > > > > https://www.lunasec.io/docs/blog/log4j-zero-day/
> > > > > >
> > > > > > On Fri, Dec 10, 2021 at 3:07 PM Mike Drob <md...@mdrob.com>
> wrote:
> > > > > >
> > > > > > > Solr is affected. Please see the statement at the
> > > > > > > https://solr.apache.org/security.html page
> > > > > > >
> > > > > > > On Fri, Dec 10, 2021 at 12:44 PM Walter Underwood <
> > > > > wunder@wunderwood.org
> > > > > > >
> > > > > > > wrote:
> > > > > > >
> > > > > > > > Does all Solr logging go through slf4j? If so, that should
> > > protect
> > > > > > > against
> > > > > > > > this vulnerability.
> > > > > > > >
> > > > > > > > If not, who has tested Solr with log4j 2.15.1?
> > > > > > > >
> > > > > > > > We are running 8.8.2.
> > > > > > > >
> > > > > > > > wunder
> > > > > > > > Walter Underwood
> > > > > > > > wunder@wunderwood.org
> > > > > > > > http://observer.wunderwood.org/ (my blog)
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
Re: Solr and CVE-2021-44228
Posted by Andy C <an...@gmail.com>.
Mike,
I see that the "Versions Affected" statement has been updated, but further
down it still states "Apache Solr releases prior to 7.0 (i.e. all Solr 5
and Solr 6 releases) use log4j 1.2.17".
7.0 should be updated to 7.4.
- Andy -
On Fri, Dec 10, 2021 at 5:10 PM Mike Drob <md...@mdrob.com> wrote:
> Andy - you are correct, we will update the notice on the site. Thank you
> for checking the details.
>
> On Fri, Dec 10, 2021 at 4:08 PM Andy C <an...@gmail.com> wrote:
>
> > The statement on the https://solr.apache.org/security.html page states
> > that
> > all 7.X and all 8.X versions are vulnerable, however looking at my 7.3.1
> > Solr instance I am still finding the 1.2.17 version of the log4j jar.
> >
> > I found https://issues.apache.org/jira/browse/SOLR-7887 which indicates
> > that the migration to log4j2 occurred with the 7.4 release.
> >
> > So I would think that the 7.0 - 7.3.1 releases would be in the same
> > situation as the pre 7.0 releases.
> >
> > Is this correct?
> >
> > - Andy -
> >
> > On Fri, Dec 10, 2021 at 4:32 PM Mike Drob <md...@mdrob.com> wrote:
> >
> > > If you are opting in to using a lookup capable appender then you are
> > > vulnerable. I don’t have a POC for testing it, but generally you’d only
> > be
> > > affected if you’re using this functionality explicitly
> > >
> > > On Fri, Dec 10, 2021 at 3:21 PM mtn search <se...@gmail.com>
> wrote:
> > >
> > > > Thanks for the information Mike!
> > > >
> > > > I noticed that on https://solr.apache.org/security.html it lists the
> > > > following statement for Solr releases prior to 7:
> > > >
> > > > Apache Solr releases prior to 7.0 (i.e. all Solr 5 and Solr 6
> releases)
> > > use
> > > > log4j 1.2.17 which may be vulnerable for installations using
> > non-default
> > > > logging configurations. To determine if you are vulnerable please
> > consult
> > > > the Log4J security page.
> > > >
> > > > I am working with Solr 6.4.2. I referenced the Log4J security page (
> > > > https://logging.apache.org/log4j/2.x/security.html ) and did not
> see a
> > > > means to verify whether our 1.2 log4j configuration is vulnerable.
> Any
> > > > tips on doing this, or other helpful links?
> > > >
> > > > Thanks,
> > > > Matt
> > > >
> > > >
> > > > On Fri, Dec 10, 2021 at 1:22 PM Rahul Goswami <rahul196452@gmail.com
> >
> > > > wrote:
> > > >
> > > > > In addition to the mitigation strategies mentioned on the Solr
> page,
> > > the
> > > > > below blog post indicates that you should be protected if you are
> > using
> > > > > Java 11.0.1 and up
> > > > >
> > > > > https://www.lunasec.io/docs/blog/log4j-zero-day/
> > > > >
> > > > > On Fri, Dec 10, 2021 at 3:07 PM Mike Drob <md...@mdrob.com> wrote:
> > > > >
> > > > > > Solr is affected. Please see the statement at the
> > > > > > https://solr.apache.org/security.html page
> > > > > >
> > > > > > On Fri, Dec 10, 2021 at 12:44 PM Walter Underwood <
> > > > wunder@wunderwood.org
> > > > > >
> > > > > > wrote:
> > > > > >
> > > > > > > Does all Solr logging go through slf4j? If so, that should
> > protect
> > > > > > against
> > > > > > > this vulnerability.
> > > > > > >
> > > > > > > If not, who has tested Solr with log4j 2.15.1?
> > > > > > >
> > > > > > > We are running 8.8.2.
> > > > > > >
> > > > > > > wunder
> > > > > > > Walter Underwood
> > > > > > > wunder@wunderwood.org
> > > > > > > http://observer.wunderwood.org/ (my blog)
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
Re: Solr and CVE-2021-44228
Posted by Mike Drob <md...@mdrob.com>.
Andy - you are correct, we will update the notice on the site. Thank you
for checking the details.
On Fri, Dec 10, 2021 at 4:08 PM Andy C <an...@gmail.com> wrote:
> The statement on the https://solr.apache.org/security.html page states
> that
> all 7.X and all 8.X versions are vulnerable, however looking at my 7.3.1
> Solr instance I am still finding the 1.2.17 version of the log4j jar.
>
> I found https://issues.apache.org/jira/browse/SOLR-7887 which indicates
> that the migration to log4j2 occurred with the 7.4 release.
>
> So I would think that the 7.0 - 7.3.1 releases would be in the same
> situation as the pre 7.0 releases.
>
> Is this correct?
>
> - Andy -
>
> On Fri, Dec 10, 2021 at 4:32 PM Mike Drob <md...@mdrob.com> wrote:
>
> > If you are opting in to using a lookup capable appender then you are
> > vulnerable. I don’t have a POC for testing it, but generally you’d only
> be
> > affected if you’re using this functionality explicitly
> >
> > On Fri, Dec 10, 2021 at 3:21 PM mtn search <se...@gmail.com> wrote:
> >
> > > Thanks for the information Mike!
> > >
> > > I noticed that on https://solr.apache.org/security.html it lists the
> > > following statement for Solr releases prior to 7:
> > >
> > > Apache Solr releases prior to 7.0 (i.e. all Solr 5 and Solr 6 releases)
> > use
> > > log4j 1.2.17 which may be vulnerable for installations using
> non-default
> > > logging configurations. To determine if you are vulnerable please
> consult
> > > the Log4J security page.
> > >
> > > I am working with Solr 6.4.2. I referenced the Log4J security page (
> > > https://logging.apache.org/log4j/2.x/security.html ) and did not see a
> > > means to verify whether our 1.2 log4j configuration is vulnerable. Any
> > > tips on doing this, or other helpful links?
> > >
> > > Thanks,
> > > Matt
> > >
> > >
> > > On Fri, Dec 10, 2021 at 1:22 PM Rahul Goswami <ra...@gmail.com>
> > > wrote:
> > >
> > > > In addition to the mitigation strategies mentioned on the Solr page,
> > the
> > > > below blog post indicates that you should be protected if you are
> using
> > > > Java 11.0.1 and up
> > > >
> > > > https://www.lunasec.io/docs/blog/log4j-zero-day/
> > > >
> > > > On Fri, Dec 10, 2021 at 3:07 PM Mike Drob <md...@mdrob.com> wrote:
> > > >
> > > > > Solr is affected. Please see the statement at the
> > > > > https://solr.apache.org/security.html page
> > > > >
> > > > > On Fri, Dec 10, 2021 at 12:44 PM Walter Underwood <
> > > wunder@wunderwood.org
> > > > >
> > > > > wrote:
> > > > >
> > > > > > Does all Solr logging go through slf4j? If so, that should
> protect
> > > > > against
> > > > > > this vulnerability.
> > > > > >
> > > > > > If not, who has tested Solr with log4j 2.15.1?
> > > > > >
> > > > > > We are running 8.8.2.
> > > > > >
> > > > > > wunder
> > > > > > Walter Underwood
> > > > > > wunder@wunderwood.org
> > > > > > http://observer.wunderwood.org/ (my blog)
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
Re: Solr and CVE-2021-44228
Posted by Andy C <an...@gmail.com>.
The statement on the https://solr.apache.org/security.html page states that
all 7.X and all 8.X versions are vulnerable, however looking at my 7.3.1
Solr instance I am still finding the 1.2.17 version of the log4j jar.
I found https://issues.apache.org/jira/browse/SOLR-7887 which indicates
that the migration to log4j2 occurred with the 7.4 release.
So I would think that the 7.0 - 7.3.1 releases would be in the same
situation as the pre 7.0 releases.
Is this correct?
- Andy -
On Fri, Dec 10, 2021 at 4:32 PM Mike Drob <md...@mdrob.com> wrote:
> If you are opting in to using a lookup capable appender then you are
> vulnerable. I don’t have a POC for testing it, but generally you’d only be
> affected if you’re using this functionality explicitly
>
> On Fri, Dec 10, 2021 at 3:21 PM mtn search <se...@gmail.com> wrote:
>
> > Thanks for the information Mike!
> >
> > I noticed that on https://solr.apache.org/security.html it lists the
> > following statement for Solr releases prior to 7:
> >
> > Apache Solr releases prior to 7.0 (i.e. all Solr 5 and Solr 6 releases)
> use
> > log4j 1.2.17 which may be vulnerable for installations using non-default
> > logging configurations. To determine if you are vulnerable please consult
> > the Log4J security page.
> >
> > I am working with Solr 6.4.2. I referenced the Log4J security page (
> > https://logging.apache.org/log4j/2.x/security.html ) and did not see a
> > means to verify whether our 1.2 log4j configuration is vulnerable. Any
> > tips on doing this, or other helpful links?
> >
> > Thanks,
> > Matt
> >
> >
> > On Fri, Dec 10, 2021 at 1:22 PM Rahul Goswami <ra...@gmail.com>
> > wrote:
> >
> > > In addition to the mitigation strategies mentioned on the Solr page,
> the
> > > below blog post indicates that you should be protected if you are using
> > > Java 11.0.1 and up
> > >
> > > https://www.lunasec.io/docs/blog/log4j-zero-day/
> > >
> > > On Fri, Dec 10, 2021 at 3:07 PM Mike Drob <md...@mdrob.com> wrote:
> > >
> > > > Solr is affected. Please see the statement at the
> > > > https://solr.apache.org/security.html page
> > > >
> > > > On Fri, Dec 10, 2021 at 12:44 PM Walter Underwood <
> > wunder@wunderwood.org
> > > >
> > > > wrote:
> > > >
> > > > > Does all Solr logging go through slf4j? If so, that should protect
> > > > against
> > > > > this vulnerability.
> > > > >
> > > > > If not, who has tested Solr with log4j 2.15.1?
> > > > >
> > > > > We are running 8.8.2.
> > > > >
> > > > > wunder
> > > > > Walter Underwood
> > > > > wunder@wunderwood.org
> > > > > http://observer.wunderwood.org/ (my blog)
> > > > >
> > > > >
> > > >
> > >
> >
>
Re: Solr and CVE-2021-44228
Posted by mtn search <se...@gmail.com>.
Thanks again Mike!
Do you perhaps have an example of a lookup capable appender for log4j
v1.2? I have only found lookups for 2.x
https://logging.apache.org/log4j/2.x/manual/lookups.html.
I am only using two types of appenders for v1.2:
org.apache.log4j.ConsoleAppender
org.apache.log4j.rolling.RollingFileAppender
Do you believe I am in the clear with these appenders?
Thanks,
Matt
On Fri, Dec 10, 2021 at 2:33 PM Mike Drob <md...@mdrob.com> wrote:
> If you are opting in to using a lookup capable appender then you are
> vulnerable. I don’t have a POC for testing it, but generally you’d only be
> affected if you’re using this functionality explicitly
>
> On Fri, Dec 10, 2021 at 3:21 PM mtn search <se...@gmail.com> wrote:
>
> > Thanks for the information Mike!
> >
> > I noticed that on https://solr.apache.org/security.html it lists the
> > following statement for Solr releases prior to 7:
> >
> > Apache Solr releases prior to 7.0 (i.e. all Solr 5 and Solr 6 releases)
> use
> > log4j 1.2.17 which may be vulnerable for installations using non-default
> > logging configurations. To determine if you are vulnerable please consult
> > the Log4J security page.
> >
> > I am working with Solr 6.4.2. I referenced the Log4J security page (
> > https://logging.apache.org/log4j/2.x/security.html ) and did not see a
> > means to verify whether our 1.2 log4j configuration is vulnerable. Any
> > tips on doing this, or other helpful links?
> >
> > Thanks,
> > Matt
> >
> >
> > On Fri, Dec 10, 2021 at 1:22 PM Rahul Goswami <ra...@gmail.com>
> > wrote:
> >
> > > In addition to the mitigation strategies mentioned on the Solr page,
> the
> > > below blog post indicates that you should be protected if you are using
> > > Java 11.0.1 and up
> > >
> > > https://www.lunasec.io/docs/blog/log4j-zero-day/
> > >
> > > On Fri, Dec 10, 2021 at 3:07 PM Mike Drob <md...@mdrob.com> wrote:
> > >
> > > > Solr is affected. Please see the statement at the
> > > > https://solr.apache.org/security.html page
> > > >
> > > > On Fri, Dec 10, 2021 at 12:44 PM Walter Underwood <
> > wunder@wunderwood.org
> > > >
> > > > wrote:
> > > >
> > > > > Does all Solr logging go through slf4j? If so, that should protect
> > > > against
> > > > > this vulnerability.
> > > > >
> > > > > If not, who has tested Solr with log4j 2.15.1?
> > > > >
> > > > > We are running 8.8.2.
> > > > >
> > > > > wunder
> > > > > Walter Underwood
> > > > > wunder@wunderwood.org
> > > > > http://observer.wunderwood.org/ (my blog)
> > > > >
> > > > >
> > > >
> > >
> >
>
Re: Solr and CVE-2021-44228
Posted by Mike Drob <md...@mdrob.com>.
If you are opting in to using a lookup capable appender then you are
vulnerable. I don’t have a POC for testing it, but generally you’d only be
affected if you’re using this functionality explicitly
On Fri, Dec 10, 2021 at 3:21 PM mtn search <se...@gmail.com> wrote:
> Thanks for the information Mike!
>
> I noticed that on https://solr.apache.org/security.html it lists the
> following statement for Solr releases prior to 7:
>
> Apache Solr releases prior to 7.0 (i.e. all Solr 5 and Solr 6 releases) use
> log4j 1.2.17 which may be vulnerable for installations using non-default
> logging configurations. To determine if you are vulnerable please consult
> the Log4J security page.
>
> I am working with Solr 6.4.2. I referenced the Log4J security page (
> https://logging.apache.org/log4j/2.x/security.html ) and did not see a
> means to verify whether our 1.2 log4j configuration is vulnerable. Any
> tips on doing this, or other helpful links?
>
> Thanks,
> Matt
>
>
> On Fri, Dec 10, 2021 at 1:22 PM Rahul Goswami <ra...@gmail.com>
> wrote:
>
> > In addition to the mitigation strategies mentioned on the Solr page, the
> > below blog post indicates that you should be protected if you are using
> > Java 11.0.1 and up
> >
> > https://www.lunasec.io/docs/blog/log4j-zero-day/
> >
> > On Fri, Dec 10, 2021 at 3:07 PM Mike Drob <md...@mdrob.com> wrote:
> >
> > > Solr is affected. Please see the statement at the
> > > https://solr.apache.org/security.html page
> > >
> > > On Fri, Dec 10, 2021 at 12:44 PM Walter Underwood <
> wunder@wunderwood.org
> > >
> > > wrote:
> > >
> > > > Does all Solr logging go through slf4j? If so, that should protect
> > > against
> > > > this vulnerability.
> > > >
> > > > If not, who has tested Solr with log4j 2.15.1?
> > > >
> > > > We are running 8.8.2.
> > > >
> > > > wunder
> > > > Walter Underwood
> > > > wunder@wunderwood.org
> > > > http://observer.wunderwood.org/ (my blog)
> > > >
> > > >
> > >
> >
>
Re: Solr and CVE-2021-44228
Posted by mtn search <se...@gmail.com>.
Thanks for the information Mike!
I noticed that on https://solr.apache.org/security.html it lists the
following statement for Solr releases prior to 7:
Apache Solr releases prior to 7.0 (i.e. all Solr 5 and Solr 6 releases) use
log4j 1.2.17 which may be vulnerable for installations using non-default
logging configurations. To determine if you are vulnerable please consult
the Log4J security page.
I am working with Solr 6.4.2. I referenced the Log4J security page (
https://logging.apache.org/log4j/2.x/security.html ) and did not see a
means to verify whether our 1.2 log4j configuration is vulnerable. Any
tips on doing this, or other helpful links?
Thanks,
Matt
On Fri, Dec 10, 2021 at 1:22 PM Rahul Goswami <ra...@gmail.com> wrote:
> In addition to the mitigation strategies mentioned on the Solr page, the
> below blog post indicates that you should be protected if you are using
> Java 11.0.1 and up
>
> https://www.lunasec.io/docs/blog/log4j-zero-day/
>
> On Fri, Dec 10, 2021 at 3:07 PM Mike Drob <md...@mdrob.com> wrote:
>
> > Solr is affected. Please see the statement at the
> > https://solr.apache.org/security.html page
> >
> > On Fri, Dec 10, 2021 at 12:44 PM Walter Underwood <wunder@wunderwood.org
> >
> > wrote:
> >
> > > Does all Solr logging go through slf4j? If so, that should protect
> > against
> > > this vulnerability.
> > >
> > > If not, who has tested Solr with log4j 2.15.1?
> > >
> > > We are running 8.8.2.
> > >
> > > wunder
> > > Walter Underwood
> > > wunder@wunderwood.org
> > > http://observer.wunderwood.org/ (my blog)
> > >
> > >
> >
>
Re: Solr and CVE-2021-44228
Posted by Richard Frovarp <rf...@apache.org>.
Unless other attack vectors are found, which are now noted in that same
section if you are running through Tomcat.
On 12/10/21 2:22 PM, Rahul Goswami wrote:
> In addition to the mitigation strategies mentioned on the Solr page, the
> below blog post indicates that you should be protected if you are using
> Java 11.0.1 and up
>
> https://www.lunasec.io/docs/blog/log4j-zero-day/
>
> On Fri, Dec 10, 2021 at 3:07 PM Mike Drob <md...@mdrob.com> wrote:
>
>> Solr is affected. Please see the statement at the
>> https://solr.apache.org/security.html page
>>
>> On Fri, Dec 10, 2021 at 12:44 PM Walter Underwood <wu...@wunderwood.org>
>> wrote:
>>
>>> Does all Solr logging go through slf4j? If so, that should protect
>> against
>>> this vulnerability.
>>>
>>> If not, who has tested Solr with log4j 2.15.1?
>>>
>>> We are running 8.8.2.
>>>
>>> wunder
>>> Walter Underwood
>>> wunder@wunderwood.org
>>> http://observer.wunderwood.org/ (my blog)
>>>
>>>
>>
>
Re: Solr and CVE-2021-44228
Posted by Rahul Goswami <ra...@gmail.com>.
In addition to the mitigation strategies mentioned on the Solr page, the
below blog post indicates that you should be protected if you are using
Java 11.0.1 and up
https://www.lunasec.io/docs/blog/log4j-zero-day/
On Fri, Dec 10, 2021 at 3:07 PM Mike Drob <md...@mdrob.com> wrote:
> Solr is affected. Please see the statement at the
> https://solr.apache.org/security.html page
>
> On Fri, Dec 10, 2021 at 12:44 PM Walter Underwood <wu...@wunderwood.org>
> wrote:
>
> > Does all Solr logging go through slf4j? If so, that should protect
> against
> > this vulnerability.
> >
> > If not, who has tested Solr with log4j 2.15.1?
> >
> > We are running 8.8.2.
> >
> > wunder
> > Walter Underwood
> > wunder@wunderwood.org
> > http://observer.wunderwood.org/ (my blog)
> >
> >
>
Re: Solr and CVE-2021-44228
Posted by Mike Drob <md...@mdrob.com>.
Solr is affected. Please see the statement at the
https://solr.apache.org/security.html page
On Fri, Dec 10, 2021 at 12:44 PM Walter Underwood <wu...@wunderwood.org>
wrote:
> Does all Solr logging go through slf4j? If so, that should protect against
> this vulnerability.
>
> If not, who has tested Solr with log4j 2.15.1?
>
> We are running 8.8.2.
>
> wunder
> Walter Underwood
> wunder@wunderwood.org
> http://observer.wunderwood.org/ (my blog)
>
>
Re: Zookeeper and Solr and CVE-2021-44228
Posted by Andy C <an...@gmail.com>.
Zookeeper has not yet migrated to log4j2. Even their latest releases
(3.6.3, 3.7.0) are still using version 1.2.17 of log4j.
So I would think that Zookeeper would be in the same situation as the
pre-7.4.0 Solr releases as described here:
https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228
So I guess the question is whether Zookeeper uses the JMS Appender?
- Andy -
On Mon, Dec 13, 2021 at 9:30 AM Andy Lester <an...@petdance.com> wrote:
>
>
> > On Dec 13, 2021, at 8:20 AM, Michael Conrad <mi...@newsrx.com> wrote:
> >
> > I presume this also needs fixing for zookeeper nodes?
>
> Anything that logs with log4j.
Re: Zookeeper and Solr and CVE-2021-44228
Posted by Andy Lester <an...@petdance.com>.
> On Dec 13, 2021, at 8:20 AM, Michael Conrad <mi...@newsrx.com> wrote:
>
> I presume this also needs fixing for zookeeper nodes?
Anything that logs with log4j.
Re: Zookeeper and Solr and CVE-2021-44228
Posted by Jan Høydahl <ja...@cominvent.com>.
To unsubscribe, see https://solr.apache.org/community.html#mailing-lists-chat
Jan
> 15. des. 2021 kl. 04:30 skrev John Eberly <jo...@eberly.org>:
>
> unsubscribe
>
>
> On Mon, Dec 13, 2021 at 8:53 AM Walter Underwood <wu...@wunderwood.org>
> wrote:
>
>> Zookeeper 3.5.7 uses log4j 1.x, so is not vulnerable. I checked.
>>
>> wunder
>> Walter Underwood
>> wunder@wunderwood.org
>> http://observer.wunderwood.org/ (my blog)
>>
>>> On Dec 13, 2021, at 6:20 AM, Michael Conrad <mi...@newsrx.com> wrote:
>>>
>>> I presume this also needs fixing for zookeeper nodes?
>>>
>>> On 12/10/21 13:44, Walter Underwood wrote:
>>>> Does all Solr logging go through slf4j? If so, that should protect
>> against this vulnerability.
>>>>
>>>> If not, who has tested Solr with log4j 2.15.1?
>>>>
>>>> We are running 8.8.2.
>>>>
>>>> wunder
>>>> Walter Underwood
>>>> wunder@wunderwood.org
>>>> http://observer.wunderwood.org/ (my blog)
>>>>
>>>>
>>
>>
Re: Zookeeper and Solr and CVE-2021-44228
Posted by John Eberly <jo...@eberly.org>.
unsubscribe
On Mon, Dec 13, 2021 at 8:53 AM Walter Underwood <wu...@wunderwood.org>
wrote:
> Zookeeper 3.5.7 uses log4j 1.x, so is not vulnerable. I checked.
>
> wunder
> Walter Underwood
> wunder@wunderwood.org
> http://observer.wunderwood.org/ (my blog)
>
> > On Dec 13, 2021, at 6:20 AM, Michael Conrad <mi...@newsrx.com> wrote:
> >
> > I presume this also needs fixing for zookeeper nodes?
> >
> > On 12/10/21 13:44, Walter Underwood wrote:
> >> Does all Solr logging go through slf4j? If so, that should protect
> against this vulnerability.
> >>
> >> If not, who has tested Solr with log4j 2.15.1?
> >>
> >> We are running 8.8.2.
> >>
> >> wunder
> >> Walter Underwood
> >> wunder@wunderwood.org
> >> http://observer.wunderwood.org/ (my blog)
> >>
> >>
>
>
Re: Zookeeper and Solr and CVE-2021-44228
Posted by Walter Underwood <wu...@wunderwood.org>.
Zookeeper 3.5.7 uses log4j 1.x, so is not vulnerable. I checked.
wunder
Walter Underwood
wunder@wunderwood.org
http://observer.wunderwood.org/ (my blog)
> On Dec 13, 2021, at 6:20 AM, Michael Conrad <mi...@newsrx.com> wrote:
>
> I presume this also needs fixing for zookeeper nodes?
>
> On 12/10/21 13:44, Walter Underwood wrote:
>> Does all Solr logging go through slf4j? If so, that should protect against this vulnerability.
>>
>> If not, who has tested Solr with log4j 2.15.1?
>>
>> We are running 8.8.2.
>>
>> wunder
>> Walter Underwood
>> wunder@wunderwood.org
>> http://observer.wunderwood.org/ (my blog)
>>
>>
Zookeeper and Solr and CVE-2021-44228
Posted by Michael Conrad <mi...@newsrx.com>.
I presume this also needs fixing for zookeeper nodes?
On 12/10/21 13:44, Walter Underwood wrote:
> Does all Solr logging go through slf4j? If so, that should protect against this vulnerability.
>
> If not, who has tested Solr with log4j 2.15.1?
>
> We are running 8.8.2.
>
> wunder
> Walter Underwood
> wunder@wunderwood.org
> http://observer.wunderwood.org/ (my blog)
>
>
Re: Solr and CVE-2021-44228
Posted by Bram Van Dam <br...@intix.eu>.
In case anyone wants to patch 7.7.3 from source, here's a patch and
quick build instructions:
Apply the attached patch -- hopefully the mailing list won't nerf the
attachment.
git am < /path/to/CVE-2021-4422.txt
ant clean compile jar -Dversion=7.7.3
cd solr
ant package -Dversion=7.7.3
- Bram