Upgrading log4j

[Aravind Reddy Jangam <Ar...@Clarivate.com.INVALID>]

Hi

We are running solr verions 6 & log4j version 1.x
Is it possible to upgrade log4j to version 2.x with out upgrading solr 6

Thanks


Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.

Re: Upgrading log4j

[Shawn Heisey <ap...@elyograg.org>]

On 3/31/23 11:46, Aravind Reddy Jangam wrote:
> Thanks, even though log4j in solr is not affected by log4shell issue, I 
> wanted to check if its possible to upgrade log4j with out upgrading solr
> 
> As log4j version is end of life and apache recommends to upgrade to 
> log4j version 2

Solr 7.x and earlier are also end of life.  Problems found in those 
versions will NOT be fixed, you would have to upgrade Solr.

Solr 8.x is in what we call "maintenance mode" meaning that only major 
bugs in the last minor version (8.11.x) without a workaround will be fixed.

Thanks,
Shawn

RE: Upgrading log4j

[Aravind Reddy Jangam <Ar...@Clarivate.com.INVALID>]

Sounds good, Thanks for your inputs

-----Original Message-----
From: Jan Høydahl <ja...@cominvent.com>
Sent: Friday, March 31, 2023 2:33 PM
To: users@solr.apache.org
Subject: Re: Upgrading log4j

I'm not aware that it is possible, but you could easily swap it out with any log lib supported by slf4j v1.7.7.
But the only advice you'll get from us here is to upgrade Solr. It may not be as difficult as you fear. You need ot migrate some field types in schema and re-index, but both update and select APIs should be compatible..

Jan

> 31. mar. 2023 kl. 19:46 skrev Aravind Reddy Jangam <Ar...@Clarivate.com.INVALID>:
>
> Thanks, even though log4j in solr is not affected by log4shell issue,
> I wanted to check if its possible to upgrade log4j with out upgrading
> solr As log4j version is end of life and apache recommends to upgrade
> to log4j version 2
>
> https://urldefense.com/v3/__https://news.apache.org/foundation/entry/a
> pache_logging_services_project_announces__;!!NknhfzgzgQ!ysuCNeiAzrDJRa
> LIGeJuwCJ0zTlHLxmrKGOga1roX_GkNMened_9Ys90laDvK67593JtndVYdDXpquVQX55v
> UMt1mCrsOMg$
>
> Thanks
>
> From: Jan Høydahl <ja...@cominvent.com>
> Sent: Friday, March 31, 2023 11:56 AM
> To: users@solr.apache.org
> Subject: Re: Upgrading log4j
>
> Hi,
>
> Why do you believe you need to upgrade log4j in solr 6? It was not affected by the log4shell issue.
> See our article at https://urldefense.com/v3/__https://solr.apache.org/security.html*apache-solr-affected-by-apache-log4j-cve-2021-44228__;Iw!!NknhfzgzgQ!ysuCNeiAzrDJRaLIGeJuwCJ0zTlHLxmrKGOga1roX_GkNMened_9Ys90laDvK67593JtndVYdDXpquVQX55vUMt1EjUtAZ0$  <https://urldefense.com/v3/__https:/solr.apache.org/security.html*apache-solr-affected-by-apache-log4j-cve-2021-44228__;Iw!!NknhfzgzgQ!2KWSIHcbebOq1B16_TJmVISjx9IB9d9hAMe2Xa1M2vA4dSGDwuSJMyxiGHzxWSBsChsqhRlO19OqFkn5ywtHmbmvGtFWQu4$> where we state that Solr 7.4.0 is the earliest Solr version vulnerable to log4shell.
>
> But of course, running such an old version of Solr makes you vulnerable to other risks:
> NVD - Results <https://urldefense.com/v3/__https:/nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&isCpeNameSearch=false&cpe_vendor=cpe*3A*2F*3Aapache&cpe_product=cpe*3A*2F*3Aapache*3Asolr&cpe_version=cpe*3A*2F*3Aapache*3Asolr*3A6.6.6__;JSUlJSUlJSUlJSUl!!NknhfzgzgQ!2KWSIHcbebOq1B16_TJmVISjx9IB9d9hAMe2Xa1M2vA4dSGDwuSJMyxiGHzxWSBsChsqhRlO19OqFkn5ywtHmbmv2MA-phI$>
> nvd.nist.gov <https://urldefense.com/v3/__https:/nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&isCpeNameSearch=false&cpe_vendor=cpe*3A*2F*3Aapache&cpe_product=cpe*3A*2F*3Aapache*3Asolr&cpe_version=cpe*3A*2F*3Aapache*3Asolr*3A6.6.6__;JSUlJSUlJSUlJSUl!!NknhfzgzgQ!2KWSIHcbebOq1B16_TJmVISjx9IB9d9hAMe2Xa1M2vA4dSGDwuSJMyxiGHzxWSBsChsqhRlO19OqFkn5ywtHmbmv2MA-phI$>
>
> <https://urldefense.com/v3/__https:/nvd.nist.gov/vuln/search/results?f
> orm_type=Advanced&results_type=overview&search_type=all&isCpeNameSearc
> h=false&cpe_vendor=cpe*3A*2F*3Aapache&cpe_product=cpe*3A*2F*3Aapache*3
> Asolr&cpe_version=cpe*3A*2F*3Aapache*3Asolr*3A6.6.6__;JSUlJSUlJSUlJSUl
> !!NknhfzgzgQ!2KWSIHcbebOq1B16_TJmVISjx9IB9d9hAMe2Xa1M2vA4dSGDwuSJMyxiG
> HzxWSBsChsqhRlO19OqFkn5ywtHmbmv2MA-phI$>
>
>
> Jan
>
>
> 31. mar. 2023 kl. 16:37 skrev Aravind Reddy Jangam <Aravind.ReddyJangam1@Clarivate.com.INVALID <ma...@Clarivate.com.INVALID>>:
>
> Hi
>
> We are running solr verions 6 & log4j version 1.x Is it possible to
> upgrade log4j to version 2.x with out upgrading solr 6
>
> Thanks
>
>
> Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.
>
> Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.
>

Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.

Re: Upgrading log4j

[Jan Høydahl <ja...@cominvent.com>]

I'm not aware that it is possible, but you could easily swap it out with any log lib supported by slf4j v1.7.7.
But the only advice you'll get from us here is to upgrade Solr. It may not be as difficult as you fear. You need ot migrate some field types in schema and re-index, but both update and select APIs should be compatible..

Jan

> 31. mar. 2023 kl. 19:46 skrev Aravind Reddy Jangam <Ar...@Clarivate.com.INVALID>:
> 
> Thanks, even though log4j in solr is not affected by log4shell issue, I wanted to check if its possible to upgrade log4j with out upgrading solr
> As log4j version is end of life and apache recommends to upgrade to log4j version 2 
> 
> https://news.apache.org/foundation/entry/apache_logging_services_project_announces
>  
> Thanks 
>  
> From: Jan Høydahl <ja...@cominvent.com> 
> Sent: Friday, March 31, 2023 11:56 AM
> To: users@solr.apache.org
> Subject: Re: Upgrading log4j
>  
> Hi,
>  
> Why do you believe you need to upgrade log4j in solr 6? It was not affected by the log4shell issue.
> See our article at https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 <https://urldefense.com/v3/__https:/solr.apache.org/security.html*apache-solr-affected-by-apache-log4j-cve-2021-44228__;Iw!!NknhfzgzgQ!2KWSIHcbebOq1B16_TJmVISjx9IB9d9hAMe2Xa1M2vA4dSGDwuSJMyxiGHzxWSBsChsqhRlO19OqFkn5ywtHmbmvGtFWQu4$> where we state that Solr 7.4.0 is the earliest Solr version vulnerable to log4shell.
>  
> But of course, running such an old version of Solr makes you vulnerable to other risks:
> NVD - Results <https://urldefense.com/v3/__https:/nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&isCpeNameSearch=false&cpe_vendor=cpe*3A*2F*3Aapache&cpe_product=cpe*3A*2F*3Aapache*3Asolr&cpe_version=cpe*3A*2F*3Aapache*3Asolr*3A6.6.6__;JSUlJSUlJSUlJSUl!!NknhfzgzgQ!2KWSIHcbebOq1B16_TJmVISjx9IB9d9hAMe2Xa1M2vA4dSGDwuSJMyxiGHzxWSBsChsqhRlO19OqFkn5ywtHmbmv2MA-phI$>
> nvd.nist.gov <https://urldefense.com/v3/__https:/nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&isCpeNameSearch=false&cpe_vendor=cpe*3A*2F*3Aapache&cpe_product=cpe*3A*2F*3Aapache*3Asolr&cpe_version=cpe*3A*2F*3Aapache*3Asolr*3A6.6.6__;JSUlJSUlJSUlJSUl!!NknhfzgzgQ!2KWSIHcbebOq1B16_TJmVISjx9IB9d9hAMe2Xa1M2vA4dSGDwuSJMyxiGHzxWSBsChsqhRlO19OqFkn5ywtHmbmv2MA-phI$>	
>  <https://urldefense.com/v3/__https:/nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&isCpeNameSearch=false&cpe_vendor=cpe*3A*2F*3Aapache&cpe_product=cpe*3A*2F*3Aapache*3Asolr&cpe_version=cpe*3A*2F*3Aapache*3Asolr*3A6.6.6__;JSUlJSUlJSUlJSUl!!NknhfzgzgQ!2KWSIHcbebOq1B16_TJmVISjx9IB9d9hAMe2Xa1M2vA4dSGDwuSJMyxiGHzxWSBsChsqhRlO19OqFkn5ywtHmbmv2MA-phI$>
>  
>  
> Jan
> 
> 
> 31. mar. 2023 kl. 16:37 skrev Aravind Reddy Jangam <Aravind.ReddyJangam1@Clarivate.com.INVALID <ma...@Clarivate.com.INVALID>>:
>  
> Hi
> 
> We are running solr verions 6 & log4j version 1.x
> Is it possible to upgrade log4j to version 2.x with out upgrading solr 6
> 
> Thanks
> 
> 
> Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.
>  
> Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.
> 

RE: Upgrading log4j

[Aravind Reddy Jangam <Ar...@Clarivate.com.INVALID>]

Thanks, even though log4j in solr is not affected by log4shell issue, I wanted to check if its possible to upgrade log4j with out upgrading solr
As log4j version is end of life and apache recommends to upgrade to log4j version 2

https://news.apache.org/foundation/entry/apache_logging_services_project_announces

Thanks

From: Jan Høydahl <ja...@cominvent.com>
Sent: Friday, March 31, 2023 11:56 AM
To: users@solr.apache.org
Subject: Re: Upgrading log4j

Hi,

Why do you believe you need to upgrade log4j in solr 6? It was not affected by the log4shell issue.
See our article at https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228<https://urldefense.com/v3/__https:/solr.apache.org/security.html*apache-solr-affected-by-apache-log4j-cve-2021-44228__;Iw!!NknhfzgzgQ!2KWSIHcbebOq1B16_TJmVISjx9IB9d9hAMe2Xa1M2vA4dSGDwuSJMyxiGHzxWSBsChsqhRlO19OqFkn5ywtHmbmvGtFWQu4$> where we state that Solr 7.4.0 is the earliest Solr version vulnerable to log4shell.

But of course, running such an old version of Solr makes you vulnerable to other risks:
NVD - Results<https://urldefense.com/v3/__https:/nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&isCpeNameSearch=false&cpe_vendor=cpe*3A*2F*3Aapache&cpe_product=cpe*3A*2F*3Aapache*3Asolr&cpe_version=cpe*3A*2F*3Aapache*3Asolr*3A6.6.6__;JSUlJSUlJSUlJSUl!!NknhfzgzgQ!2KWSIHcbebOq1B16_TJmVISjx9IB9d9hAMe2Xa1M2vA4dSGDwuSJMyxiGHzxWSBsChsqhRlO19OqFkn5ywtHmbmv2MA-phI$>
nvd.nist.gov<https://urldefense.com/v3/__https:/nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&isCpeNameSearch=false&cpe_vendor=cpe*3A*2F*3Aapache&cpe_product=cpe*3A*2F*3Aapache*3Asolr&cpe_version=cpe*3A*2F*3Aapache*3Asolr*3A6.6.6__;JSUlJSUlJSUlJSUl!!NknhfzgzgQ!2KWSIHcbebOq1B16_TJmVISjx9IB9d9hAMe2Xa1M2vA4dSGDwuSJMyxiGHzxWSBsChsqhRlO19OqFkn5ywtHmbmv2MA-phI$>
[cid:image001.png@01D963D7.21FA23A0]<https://urldefense.com/v3/__https:/nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&isCpeNameSearch=false&cpe_vendor=cpe*3A*2F*3Aapache&cpe_product=cpe*3A*2F*3Aapache*3Asolr&cpe_version=cpe*3A*2F*3Aapache*3Asolr*3A6.6.6__;JSUlJSUlJSUlJSUl!!NknhfzgzgQ!2KWSIHcbebOq1B16_TJmVISjx9IB9d9hAMe2Xa1M2vA4dSGDwuSJMyxiGHzxWSBsChsqhRlO19OqFkn5ywtHmbmv2MA-phI$>


Jan


31. mar. 2023 kl. 16:37 skrev Aravind Reddy Jangam <Ar...@Clarivate.com.INVALID>>:

Hi

We are running solr verions 6 & log4j version 1.x
Is it possible to upgrade log4j to version 2.x with out upgrading solr 6

Thanks


Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.


Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.

Re: Upgrading log4j

[Jan Høydahl <ja...@cominvent.com>]

Hi,

Why do you believe you need to upgrade log4j in solr 6? It was not affected by the log4shell issue.
See our article at https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 where we state that Solr 7.4.0 is the earliest Solr version vulnerable to log4shell.

But of course, running such an old version of Solr makes you vulnerable to other risks:
https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&isCpeNameSearch=false&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Asolr&cpe_version=cpe%3A%2F%3Aapache%3Asolr%3A6.6.6

Jan

> 31. mar. 2023 kl. 16:37 skrev Aravind Reddy Jangam <Ar...@Clarivate.com.INVALID>:
> 
> Hi
> 
> We are running solr verions 6 & log4j version 1.x
> Is it possible to upgrade log4j to version 2.x with out upgrading solr 6
> 
> Thanks
> 
> 
> Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.