sorl version 6.3 - log4j question

[Ardian Krivca <ar...@corel.com.INVALID>]

Hi,

I have a support question and was wondering if you can please help me.

I have Sorl version 6.3, I am trying to understand if I am vulnerable to the log4j issue.  Solr(tm) Security News - Apache Solr<https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228> I looked on your site and it says "Description: Apache Solr releases prior to 8.11.1 were using a bundled version of the Apache Log4J library vulnerable to RCE. For full impact and additional detail consult the Log4J security page.
Apache Solr releases prior to 7.4 (i.e. Solr 5, Solr 6, and Solr 7 through 7.3) use Log4J 1.2.17 which may be vulnerable for installations using non-default logging configurations that include the JMS Appender,".

Can you please help me understand this. This means I am NOT vulnerable to the log4j issue? What does this mean exactly? "which may be vulnerable for installations using non-default logging configurations that include the JMS Appender?

Thank you

[cid:image001.png@01D8ACDA.A6AEA120]

Re: sorl version 6.3 - log4j question

[Gus Heck <gu...@gmail.com>]

Hi Ardian,

You will want to review the various CVE's related to log4j1.2.17 to
evaluate your risk level. The log4j2 vulnerabilities (i.e. log4shell) are
not relevant to 6.3. There are several 1.2 vulnerabilities, but most of
them are only activated by the use of some less common logging
configurations, or certain tools that were distributed with Log4J 1.2. If
you do not use the affected tools, and do not use the appenders
(JMSAppender being one) in your configurations, then if you have good
controls over the configuration of your logging (so that nobody untrusted
or unaware of the danger might add affected appenders), you should be safe
from most of those CVE's. A good starting point is the list on the log4j
1.2 site:

https://logging.apache.org/log4j/1.2/

Log4j 1.2 is end of life and unmaintained, so you should not expect fixes
for these issues from the log4j team.

From a security perspective, the "easy" way to be sure of the best possible
security is to upgrade to the latest Solr, but that's unlikely to be "easy"
from any other perspective. Next best is to use the Log4j 1.2->2.0 bridge
library (https://logging.apache.org/log4j/2.x/log4j-1.2-api/index.html)
to allow your old (also end of life) solr version to use new Log4j logging
classes. It is important to use log4j 2.18.0 not 2.17.2 for best results if
you go that route, since the increased use of the bridge after this crisis
seems to have led to several fixes/enhancements in 2.18.0. Be aware however
that you should test carefully after applying the bridge. I've seen it
succeed with 6.4, but I can't be 100% sure it also works well with 6.3.

-Gus

On Thu, Aug 11, 2022 at 1:01 PM Ardian Krivca
<ar...@corel.com.invalid> wrote:

> Hi,
>
>
>
> I have a support question and was wondering if you can please help me.
>
>
>
> I have Sorl version 6.3, I am trying to understand if I am vulnerable to
> the log4j issue.  Solr™ Security News - Apache Solr
> <https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228>
> I looked on your site and it says “*Description: Apache Solr releases
> prior to 8.11.1 were using a bundled version of the Apache Log4J library
> vulnerable to RCE. For full impact and additional detail consult the Log4J
> security page.*
>
> *Apache Solr releases prior to 7.4 (i.e. Solr 5, Solr 6, and Solr 7
> through 7.3) use Log4J 1.2.17 which may be vulnerable for installations
> using non-default logging configurations that include the JMS Appender,*”.
>
>
>
> Can you please help me understand this. This means I am NOT vulnerable to
> the log4j issue? What does this mean exactly? “*which may be vulnerable
> for installations using non-default logging configurations that include the
> JMS Appender?*
>
>
>
> Thank you
>
>
>
>
>


-- 
http://www.needhamsoftware.com (work)
http://www.the111shift.com (play)