You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@solr.apache.org by "Michael Schumann (Jira)" <ji...@apache.org> on 2021/12/10 19:42:00 UTC

[jira] [Commented] (SOLR-15846) High security vulnerability in Log4J - CVE-2021-44228 bundled with Solr

    [ https://issues.apache.org/jira/browse/SOLR-15846?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457340#comment-17457340 ] 

Michael Schumann commented on SOLR-15846:
-----------------------------------------

https://logging.apache.org/log4j/2.x/security.html

> High security vulnerability in Log4J - CVE-2021-44228 bundled with Solr
> -----------------------------------------------------------------------
>
>                 Key: SOLR-15846
>                 URL: https://issues.apache.org/jira/browse/SOLR-15846
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: 7.4, 8.0, 8.11
>            Reporter: Michael Schumann
>            Priority: Major
>
> h2. Description
> A flaw was found in the Java logging library Apache Log4j 2 in versions from 2.0-beta9 and before and including 2.14.1. This could allow a remote attacker to execute code on the server if the system logs an attacker-controlled string value with the attacker's JNDI LDAP server lookup.
> h2. Statement
> This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:
>  * A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,
>  * A log statement in the endpoint that logs the attacker controlled data.
> Due to the existence of JMS Appender which can use JNDI in the log4j 1.x, it is possible that log4j version 1.x is also affected by this vulnerability. The impact is still under investigation.
> h2. Mitigation
> There are two possible mitigations for this flaw in versions from 2.10 to 2.14.1:
> - Set the system property log4j2.formatMsgNoLookups to true, or
> - Remove the JndiLookup class from the classpath. For example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`
>  
> Another mitigation is to upgrade to version 2.15
>  
> +*References:*+ 
> [https://www.lunasec.io/docs/blog/log4j-zero-day/] 
> [https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html] 
> [https://help.aliyun.com/noticelist/articleid/1060971232.html] - Original Advisory



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org