You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@solr.apache.org by Ramila Herath <ra...@ifs.com> on 2022/02/24 04:25:49 UTC
Log4J DoS Vulnerability: CVE-2021-45105
Hi;
Can this vulnerability to exploited in Solr 8.11.1? solr 8.11.1 has log4j 2.16 but I couldn't find a log4j.properties files in the distribution setting a non-default layout pattern (with or without context lookup). Any idea when Solr would do a release with log4j 2.17.1?
Thanks in advance
Regards,
Ramila Herath (he/him)
Senior Software Architect | Experience Framework
[cid:image001.png@01D82964.AFCDACF0]<http://ifs.biz/ifs-website>
+94 11 236 44 00
18th Floor, Orion Towers,
736, Dr. Danister De Silva Mawatha, Colombo 00900, SRI LANKA
[cid:image002.png@01D82964.AFCDACF0]<http://ifs.biz/ifs-linkedin> [cid:image003.png@01D82964.AFCDACF0] <http://ifs.biz/ifs-twitter> [A close up of a sign Description automatically generated] <http://ifs.biz/instagram> [cid:image005.png@01D82964.AFCDACF0] <http://ifs.biz/industry-analyst-research>
[A picture containing graphical user interface Description automatically generated]<https://www.ifs.com/corp/news-and-events/events/ifs-cloud/?utm_campaign=ifs+cloud+launch&utm_medium=email&utm_source=outlook+ifs+email+signature&utm_content=march+2021&utm_term=&sc_camp=> [A picture containing shape Description automatically generated] <https://www.ifs.com/news-and-events/sustainability/?utm_campaign=change+for+good&utm_medium=email&utm_source=ifs.com&utm_content=signature&utm_term=&sc_camp=>
IFS World Operations AB is a private liability company registered in Sweden.
Corporate identity number: 556040-6042.
Registered office: Teknikringen 5, Box 1545, SE-581 15 Linköping.
________________________________
Confidentiality notice and disclaimer
This e-mail is private and may contain confidential information. You must not use, disclose, or retain any of its content if you have received it in error: please notify its sender and then delete it. Any views or opinions expressed in this e-mail are strictly those of its author. We do not accept liability for the consequences of any data corruption, interception, tampering, or virus.
Re: Log4J DoS Vulnerability: CVE-2021-45105
Posted by André Widhani <aw...@stibodx.com.INVALID>.
Please see https://solr.apache.org/security.html
[https://solr.apache.org/theme/images/solr_og_image.png?v=4dd59757]<https://solr.apache.org/security.html>
Solr™ Security News - Apache Solr<https://solr.apache.org/security.html>
Solr ™ Security News¶ How to report a security issue. If you believe you have discovered a vulnerability in Solr, you may first want to consult the list of known false positives to make sure you are reporting a real vulnerability. Then please disclose responsibly by following these ASF guidelines for reporting.. You may file your request by email to security@solr.apache.org.
solr.apache.org
To quote from there:
| Solr is not vulnerable to the followup CVE-2021-45046 and CVE-2021-45105.
________________________________
From: Ramila Herath <ra...@ifs.com>
Sent: Thursday, 24 February 2022 05:25
To: users@solr.apache.org <us...@solr.apache.org>
Subject: Log4J DoS Vulnerability: CVE-2021-45105
External e-mail.
Hi;
Can this vulnerability to exploited in Solr 8.11.1? solr 8.11.1 has log4j 2.16 but I couldn’t find a log4j.properties files in the distribution setting a non-default layout pattern (with or without context lookup). Any idea when Solr would do a release with log4j 2.17.1?
Thanks in advance
Regards,
Ramila Herath (he/him)
Senior Software Architect | Experience Framework
[cid:image001.png@01D82964.AFCDACF0]<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fifs.biz%2Fifs-website&data=04%7C01%7Cawi%40stibodx.com%7Cd13655ab142347de1f6908d9f75d56e0%7Cf3b7525342144a54b05256ac6906ae80%7C1%7C1%7C637812802529331817%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=KcZey5X7kfMZwinScd1iufjHEmxgp7LzkD2QVAcLmRg%3D&reserved=0>
+94 11 236 44 00
18th Floor, Orion Towers,
736, Dr. Danister De Silva Mawatha, Colombo 00900, SRI LANKA
[cid:image002.png@01D82964.AFCDACF0]<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fifs.biz%2Fifs-linkedin&data=04%7C01%7Cawi%40stibodx.com%7Cd13655ab142347de1f6908d9f75d56e0%7Cf3b7525342144a54b05256ac6906ae80%7C1%7C1%7C637812802529331817%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=mlW%2BprNOc8PodHXmbqr6xTpKj1CjWuVWeuHt5H0G1xw%3D&reserved=0> [cid:image003.png@01D82964.AFCDACF0] <https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fifs.biz%2Fifs-twitter&data=04%7C01%7Cawi%40stibodx.com%7Cd13655ab142347de1f6908d9f75d56e0%7Cf3b7525342144a54b05256ac6906ae80%7C1%7C1%7C637812802529331817%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=PZx36RzIv0ilseQ4fYOswd8RtBWQy57tk462kHMmRs4%3D&reserved=0> [A close up of a sign Description automatically generated] <https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fifs.biz%2Finstagram&data=04%7C01%7Cawi%40stibodx.com%7Cd13655ab142347de1f6908d9f75d56e0%7Cf3b7525342144a54b05256ac6906ae80%7C1%7C1%7C637812802529331817%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Uh9sMcSZn2BxM4tfWrU2zX5WcpYDbKeq%2Fz9yYjbNmrI%3D&reserved=0> [cid:image005.png@01D82964.AFCDACF0] <https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fifs.biz%2Findustry-analyst-research&data=04%7C01%7Cawi%40stibodx.com%7Cd13655ab142347de1f6908d9f75d56e0%7Cf3b7525342144a54b05256ac6906ae80%7C1%7C1%7C637812802529331817%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=5xqk4rdvx2gQbP32iD9aQHv0l7enefdSi3gL9FRB8bY%3D&reserved=0>
[A picture containing graphical user interface Description automatically generated]<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ifs.com%2Fcorp%2Fnews-and-events%2Fevents%2Fifs-cloud%2F%3Futm_campaign%3Difs%2Bcloud%2Blaunch%26utm_medium%3Demail%26utm_source%3Doutlook%2Bifs%2Bemail%2Bsignature%26utm_content%3Dmarch%2B2021%26utm_term%3D%26sc_camp%3D&data=04%7C01%7Cawi%40stibodx.com%7Cd13655ab142347de1f6908d9f75d56e0%7Cf3b7525342144a54b05256ac6906ae80%7C1%7C1%7C637812802529331817%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=u1GcWbXc51Gjps9Xk%2FXchlQY2jWrbvigaTnxpeQKuM0%3D&reserved=0> [A picture containing shape Description automatically generated] <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ifs.com%2Fnews-and-events%2Fsustainability%2F%3Futm_campaign%3Dchange%2Bfor%2Bgood%26utm_medium%3Demail%26utm_source%3Difs.com%26utm_content%3Dsignature%26utm_term%3D%26sc_camp%3D&data=04%7C01%7Cawi%40stibodx.com%7Cd13655ab142347de1f6908d9f75d56e0%7Cf3b7525342144a54b05256ac6906ae80%7C1%7C1%7C637812802529331817%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=yOrimvjyv8ysxmH2CWXr89Av%2FYwp3qj6dRn5wy8IxK8%3D&reserved=0>
IFS World Operations AB is a private liability company registered in Sweden.
Corporate identity number: 556040-6042.
Registered office: Teknikringen 5, Box 1545, SE-581 15 Linköping.
________________________________
Confidentiality notice and disclaimer
This e-mail is private and may contain confidential information. You must not use, disclose, or retain any of its content if you have received it in error: please notify its sender and then delete it. Any views or opinions expressed in this e-mail are strictly those of its author. We do not accept liability for the consequences of any data corruption, interception, tampering, or virus.
Re: Log4J DoS Vulnerability: CVE-2021-45105
Posted by Shawn Heisey <ap...@elyograg.org>.
On 2/23/2022 9:25 PM, Ramila Herath wrote:
> Can this vulnerability to exploited in Solr 8.11.1? solr 8.11.1 has
> log4j 2.16 but I couldn’t find a log4j.properties files in the
> distribution setting a non-default layout pattern (with or without
> context lookup). Any idea when Solr would do a release with log4j 2.17.1?
As noted in another reply, Solr is not vulnerable to the problems fixed
after log4j 2.16, as long as you do not change the logging
configuration. Because of that, it is likely that the first version of
Solr with log4j 2.17.1 or later will be Solr 9.0.0. The release process
for 9.0.0 is underway now. I do not have an ETA.
The log4j2 library does not use log4j.properties for configuration -
that's used by log4j 1.x. You'll find the logging config for Solr in a
file named log4j2.xml.
Thanks,
Shawn