You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@solr.apache.org by "Heller, George A III CTR (USA)" <ge...@mail.mil.INVALID> on 2022/03/11 13:29:50 UTC
How do you upgrade log4j 2.16.0 to log4js 2.17.1?? (Solr 8.11.1)
We have a Solr 8.11.1 installation we are getting ready to deploy to production.
Our security people sent a finding that log4js 2.16.0 is vulnerable to a DOS attack so we either want to upgrade Sole to a newer release or upgrade log4 to 2.17.0
I see that there is no current release of Solr newer than 8.11.1 which we already have and I see some talk of an Apache log4j patch that will upgrade log4js to 2.17.0.
I have not yet found a link to get the log4j patch or information on how to implement the upgrade.
Any help on how to accomplish this would be greatly appreciated.
Thanks,
George Heller
Re: How do you upgrade log4j 2.16.0 to log4js 2.17.1?? (Solr 8.11.1)
Posted by Jan Høydahl <ja...@cominvent.com>.
Please do not cross-post to several lists. I'm replying only to the users list.
Solr 8.11.1 is not vulnerable to the attack you refer to. Please see https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 <https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228> for details.
If your organization have rigid policies and will not allow that version if the library even if it is safe, you can simply replace the log4j*.jar files inside the tarball after download with the 2.17.0 version, and that's it.
Jan
> 11. mar. 2022 kl. 14:29 skrev Heller, George A III CTR (USA) <ge...@mail.mil.INVALID>:
>
> We have a Solr 8.11.1 installation we are getting ready to deploy to production.
> Our security people sent a finding that log4js 2.16.0 is vulnerable to a DOS attack so we either want to upgrade Sole to a newer release or upgrade log4 to 2.17.0
> I see that there is no current release of Solr newer than 8.11.1 which we already have and I see some talk of an Apache log4j patch that will upgrade log4js to 2.17.0.
> I have not yet found a link to get the log4j patch or information on how to implement the upgrade.
>
> Any help on how to accomplish this would be greatly appreciated.
>
> Thanks,
> George Heller
Re: How do you upgrade log4j 2.16.0 to log4js 2.17.1?? (Solr 8.11.1)
Posted by Robert Pearce <rp...@gmail.com>.
We simply deleted the earlier versions of the log4j jars from the server/lib/ext folder and replaced them with 2.17.1 versions, and restarted Solr.
Works normally
> On 11 Mar 2022, at 13:29, Heller, George A III CTR (USA) <ge...@mail.mil.invalid> wrote:
>
> We have a Solr 8.11.1 installation we are getting ready to deploy to production.
> Our security people sent a finding that log4js 2.16.0 is vulnerable to a DOS attack so we either want to upgrade Sole to a newer release or upgrade log4 to 2.17.0
> I see that there is no current release of Solr newer than 8.11.1 which we already have and I see some talk of an Apache log4j patch that will upgrade log4js to 2.17.0.
> I have not yet found a link to get the log4j patch or information on how to implement the upgrade.
>
> Any help on how to accomplish this would be greatly appreciated.
>
> Thanks,
> George Heller
>