Zookeeper and Solr and CVE-2021-44228

[Michael Conrad <mi...@newsrx.com>]

I presume this also needs fixing for zookeeper nodes?

On 12/10/21 13:44, Walter Underwood wrote:
> Does all Solr logging go through slf4j? If so, that should protect against this vulnerability.
>
> If not, who has tested Solr with log4j 2.15.1?
>
> We are running 8.8.2.
>
> wunder
> Walter Underwood
> wunder@wunderwood.org
> http://observer.wunderwood.org/   (my blog)
>
>

Re: Zookeeper and Solr and CVE-2021-44228

[Andy C <an...@gmail.com>]

Zookeeper has not yet migrated to log4j2. Even their latest releases
(3.6.3, 3.7.0) are still using version 1.2.17 of log4j.

So I would think that Zookeeper would be in the same situation as the
pre-7.4.0 Solr releases as described here:
https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228

So I guess the question is whether Zookeeper uses the JMS Appender?

- Andy -

On Mon, Dec 13, 2021 at 9:30 AM Andy Lester <an...@petdance.com> wrote:

>
>
> > On Dec 13, 2021, at 8:20 AM, Michael Conrad <mi...@newsrx.com> wrote:
> >
> > I presume this also needs fixing for zookeeper nodes?
>
> Anything that logs with log4j.

Re: Zookeeper and Solr and CVE-2021-44228

[Andy Lester <an...@petdance.com>]

> On Dec 13, 2021, at 8:20 AM, Michael Conrad <mi...@newsrx.com> wrote:
> 
> I presume this also needs fixing for zookeeper nodes?

Anything that logs with log4j.

Re: Zookeeper and Solr and CVE-2021-44228

[Jan Høydahl <ja...@cominvent.com>]

To unsubscribe, see https://solr.apache.org/community.html#mailing-lists-chat

Jan

> 15. des. 2021 kl. 04:30 skrev John Eberly <jo...@eberly.org>:
> 
> unsubscribe
> 
> 
> On Mon, Dec 13, 2021 at 8:53 AM Walter Underwood <wu...@wunderwood.org>
> wrote:
> 
>> Zookeeper 3.5.7 uses log4j 1.x, so is not vulnerable. I checked.
>> 
>> wunder
>> Walter Underwood
>> wunder@wunderwood.org
>> http://observer.wunderwood.org/  (my blog)
>> 
>>> On Dec 13, 2021, at 6:20 AM, Michael Conrad <mi...@newsrx.com> wrote:
>>> 
>>> I presume this also needs fixing for zookeeper nodes?
>>> 
>>> On 12/10/21 13:44, Walter Underwood wrote:
>>>> Does all Solr logging go through slf4j? If so, that should protect
>> against this vulnerability.
>>>> 
>>>> If not, who has tested Solr with log4j 2.15.1?
>>>> 
>>>> We are running 8.8.2.
>>>> 
>>>> wunder
>>>> Walter Underwood
>>>> wunder@wunderwood.org
>>>> http://observer.wunderwood.org/   (my blog)
>>>> 
>>>> 
>> 
>> 

Re: Zookeeper and Solr and CVE-2021-44228

[John Eberly <jo...@eberly.org>]

unsubscribe


On Mon, Dec 13, 2021 at 8:53 AM Walter Underwood <wu...@wunderwood.org>
wrote:

> Zookeeper 3.5.7 uses log4j 1.x, so is not vulnerable. I checked.
>
> wunder
> Walter Underwood
> wunder@wunderwood.org
> http://observer.wunderwood.org/  (my blog)
>
> > On Dec 13, 2021, at 6:20 AM, Michael Conrad <mi...@newsrx.com> wrote:
> >
> > I presume this also needs fixing for zookeeper nodes?
> >
> > On 12/10/21 13:44, Walter Underwood wrote:
> >> Does all Solr logging go through slf4j? If so, that should protect
> against this vulnerability.
> >>
> >> If not, who has tested Solr with log4j 2.15.1?
> >>
> >> We are running 8.8.2.
> >>
> >> wunder
> >> Walter Underwood
> >> wunder@wunderwood.org
> >> http://observer.wunderwood.org/   (my blog)
> >>
> >>
>
>

Re: Zookeeper and Solr and CVE-2021-44228

[Walter Underwood <wu...@wunderwood.org>]

Zookeeper 3.5.7 uses log4j 1.x, so is not vulnerable. I checked.

wunder
Walter Underwood
wunder@wunderwood.org
http://observer.wunderwood.org/  (my blog)

> On Dec 13, 2021, at 6:20 AM, Michael Conrad <mi...@newsrx.com> wrote:
> 
> I presume this also needs fixing for zookeeper nodes?
> 
> On 12/10/21 13:44, Walter Underwood wrote:
>> Does all Solr logging go through slf4j? If so, that should protect against this vulnerability.
>> 
>> If not, who has tested Solr with log4j 2.15.1?
>> 
>> We are running 8.8.2.
>> 
>> wunder
>> Walter Underwood
>> wunder@wunderwood.org
>> http://observer.wunderwood.org/   (my blog)
>> 
>>