You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@solr.apache.org by Mo...@cognizant.com on 2022/03/29 12:27:54 UTC
Remediation for Log4j2 2.14.1 security vulnerability
Hi,
I am using Solr 7.2.1 and our system detected it to be vulnerable. Here are the details.
Source: The Exploit-DB
Reference:CVE-2021-44228
Description:Apache Log4j2 2.14.1 - Information Disclosure - The Exploit-DB Ref : 50590
Link:http://www.exploit-db.com/exploits/50590
Reference:CVE-2021-44228
Description:Apache Log4j 2 - Remote Code Execution (RCE) - The Exploit-DB Ref : 50592
Link:http://www.exploit-db.com/exploits/50592
Can someone please help me on how to remediate this? One of the solution provided as below
https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228I
but it is for 7.4 or higher versions.
I know one of the solutions is to upgrade it but we have tight dependency on this from Sitecore CMS.
It would be very helpful if someone can provide any guidance.
Thanks and Regards,
Mohd Imadoddin
This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored.
Re: Remediation for Log4j2 2.14.1 security vulnerability
Posted by Shawn Heisey <ap...@elyograg.org>.
On 3/29/2022 8:24 PM, Shawn Heisey wrote:
> Upgrading log4j in 7.2.1 is probably not an easy task. It would be
> much easier to upgrade to at least Solr 7.4.0, which was the first
> version of Solr to use log4j2. Then you could simply replace the
> log4j2 jars in the Solr download with the newer version from log4j.
Alternately, you could reconfigure the logging system to log to another
destination entirely, and not even use log4j. This is not difficult,
but it requires some jar changing, and you would need to fiddle with the
start script to provide a configuration to the alternate logging
destination.
Thanks,
Shawn
Re: Remediation for Log4j2 2.14.1 security vulnerability
Posted by Shawn Heisey <ap...@elyograg.org>.
On 3/29/2022 6:27 AM, Mohd.imadoddin@cognizant.com wrote:
> I am using Solr 7.2.1 and our system detected it to be vulnerable. Here are the details.
>
> Source: The Exploit-DB
> Reference:CVE-2021-44228
> Description:Apache Log4j2 2.14.1 - Information Disclosure - The Exploit-DB Ref : 50590
> Link:http://www.exploit-db.com/exploits/50590
> Reference:CVE-2021-44228
> Description:Apache Log4j 2 - Remote Code Execution (RCE) - The Exploit-DB Ref : 50592
> Link:http://www.exploit-db.com/exploits/50592
Solr 7.2.1 does NOT come with log4j2. It includes log4j 1.2.17. You'll
find vulnerabilities on that too.
https://logging.apache.org/log4j/1.2/index.html
Upgrading log4j in 7.2.1 is probably not an easy task. It would be much
easier to upgrade to at least Solr 7.4.0, which was the first version of
Solr to use log4j2. Then you could simply replace the log4j2 jars in
the Solr download with the newer version from log4j.
Thanks,
Shawn