You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@solr.apache.org by Michael Conrad <mi...@newsrx.com> on 2021/12/13 14:20:13 UTC
Zookeeper and Solr and CVE-2021-44228
I presume this also needs fixing for zookeeper nodes?
On 12/10/21 13:44, Walter Underwood wrote:
> Does all Solr logging go through slf4j? If so, that should protect against this vulnerability.
>
> If not, who has tested Solr with log4j 2.15.1?
>
> We are running 8.8.2.
>
> wunder
> Walter Underwood
> wunder@wunderwood.org
> http://observer.wunderwood.org/ (my blog)
>
>
Re: Zookeeper and Solr and CVE-2021-44228
Posted by Andy C <an...@gmail.com>.
Zookeeper has not yet migrated to log4j2. Even their latest releases
(3.6.3, 3.7.0) are still using version 1.2.17 of log4j.
So I would think that Zookeeper would be in the same situation as the
pre-7.4.0 Solr releases as described here:
https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228
So I guess the question is whether Zookeeper uses the JMS Appender?
- Andy -
On Mon, Dec 13, 2021 at 9:30 AM Andy Lester <an...@petdance.com> wrote:
>
>
> > On Dec 13, 2021, at 8:20 AM, Michael Conrad <mi...@newsrx.com> wrote:
> >
> > I presume this also needs fixing for zookeeper nodes?
>
> Anything that logs with log4j.
Re: Zookeeper and Solr and CVE-2021-44228
Posted by Andy Lester <an...@petdance.com>.
> On Dec 13, 2021, at 8:20 AM, Michael Conrad <mi...@newsrx.com> wrote:
>
> I presume this also needs fixing for zookeeper nodes?
Anything that logs with log4j.
Re: Zookeeper and Solr and CVE-2021-44228
Posted by Jan Høydahl <ja...@cominvent.com>.
To unsubscribe, see https://solr.apache.org/community.html#mailing-lists-chat
Jan
> 15. des. 2021 kl. 04:30 skrev John Eberly <jo...@eberly.org>:
>
> unsubscribe
>
>
> On Mon, Dec 13, 2021 at 8:53 AM Walter Underwood <wu...@wunderwood.org>
> wrote:
>
>> Zookeeper 3.5.7 uses log4j 1.x, so is not vulnerable. I checked.
>>
>> wunder
>> Walter Underwood
>> wunder@wunderwood.org
>> http://observer.wunderwood.org/ (my blog)
>>
>>> On Dec 13, 2021, at 6:20 AM, Michael Conrad <mi...@newsrx.com> wrote:
>>>
>>> I presume this also needs fixing for zookeeper nodes?
>>>
>>> On 12/10/21 13:44, Walter Underwood wrote:
>>>> Does all Solr logging go through slf4j? If so, that should protect
>> against this vulnerability.
>>>>
>>>> If not, who has tested Solr with log4j 2.15.1?
>>>>
>>>> We are running 8.8.2.
>>>>
>>>> wunder
>>>> Walter Underwood
>>>> wunder@wunderwood.org
>>>> http://observer.wunderwood.org/ (my blog)
>>>>
>>>>
>>
>>
Re: Zookeeper and Solr and CVE-2021-44228
Posted by John Eberly <jo...@eberly.org>.
unsubscribe
On Mon, Dec 13, 2021 at 8:53 AM Walter Underwood <wu...@wunderwood.org>
wrote:
> Zookeeper 3.5.7 uses log4j 1.x, so is not vulnerable. I checked.
>
> wunder
> Walter Underwood
> wunder@wunderwood.org
> http://observer.wunderwood.org/ (my blog)
>
> > On Dec 13, 2021, at 6:20 AM, Michael Conrad <mi...@newsrx.com> wrote:
> >
> > I presume this also needs fixing for zookeeper nodes?
> >
> > On 12/10/21 13:44, Walter Underwood wrote:
> >> Does all Solr logging go through slf4j? If so, that should protect
> against this vulnerability.
> >>
> >> If not, who has tested Solr with log4j 2.15.1?
> >>
> >> We are running 8.8.2.
> >>
> >> wunder
> >> Walter Underwood
> >> wunder@wunderwood.org
> >> http://observer.wunderwood.org/ (my blog)
> >>
> >>
>
>
Re: Zookeeper and Solr and CVE-2021-44228
Posted by Walter Underwood <wu...@wunderwood.org>.
Zookeeper 3.5.7 uses log4j 1.x, so is not vulnerable. I checked.
wunder
Walter Underwood
wunder@wunderwood.org
http://observer.wunderwood.org/ (my blog)
> On Dec 13, 2021, at 6:20 AM, Michael Conrad <mi...@newsrx.com> wrote:
>
> I presume this also needs fixing for zookeeper nodes?
>
> On 12/10/21 13:44, Walter Underwood wrote:
>> Does all Solr logging go through slf4j? If so, that should protect against this vulnerability.
>>
>> If not, who has tested Solr with log4j 2.15.1?
>>
>> We are running 8.8.2.
>>
>> wunder
>> Walter Underwood
>> wunder@wunderwood.org
>> http://observer.wunderwood.org/ (my blog)
>>
>>