[ANNOUNCEMENT] Solr's Docker images were updated to remediate a CVE

[David Smiley <ds...@apache.org>]

Apache Solr's Docker images were updated some hours ago with a simple
remediation to avoid the Log4j 2 vulnerability[1] that many of you are
becoming aware of -- Log4j 2 CVE-2021-44228.
Just a "docker pull solr:tagVersionYouUse"  (e.g. 8.11 or whatever) will
update it for you.  The remediation in these updated images was simply
setting a Java system property to disable this misfeature of Log4j 2.  If
you have your own custom Docker image, you can easily do likewise, e.g. by
customizing the command to run the image to have an additional argument[2]
(a common remediation for other affected images).  To have confidence that
this was done correctly, log into your Solr admin screen and see the "Args"
section and look for
"-Dlog4j2.formatMsgNoLookups=true".

This is sufficient, but understand that vulnerability scanners will
continue to report that Solr's images are vulnerable because they can't
realistically know if Solr's configuration (e.g. via this system property)
defeats the problem.  It's possible the Solr project may retroactively
update these images in the future for this reason.

[1]
https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228
[2] https://www.docker.com/blog/apache-log4j-2-cve-2021-44228/

~ David Smiley
Apache Lucene/Solr Search Developer
http://www.linkedin.com/in/davidwsmiley

Re: [ANNOUNCEMENT] Solr's Docker images were updated to remediate a CVE

[Andy Lester <an...@petdance.com>]

For those of you like me who want to explicitly set the variable without relying on which of the two Docker images with the same tag you’re pulling down, and you’re using a Dockerfile to add on to make your own Solr Docker image, add these lines:

# Add option to mitigate log4j security vulnerability.
USER root
RUN echo 'SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"' >> /etc/default/solr.in.sh
USER solr

Andy