Question Apache Solr 7.7.0, 8.7 and 8.9 - log4j vulnerability

[Manisha Rahatadkar <Ma...@AnjuSoftware.com>]

Hello all

We are using  Apache Solr 7.7.0, 8.7 and 8.9 on Windows and Linux environment. What mitigation option do we need to take for this vulnerability?

Thank you in advance.

Regards
Manisha


Confidentiality Notice
====================
This email message, including any attachments, is for the sole use of the intended recipient and may contain confidential and privileged information. Any unauthorized view, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Anju Software, Inc. 4500 S. Lakeshore Drive, Suite 620, Tempe, AZ USA 85282.

Re: Question Apache Solr 7.7.0, 8.7 and 8.9 - log4j vulnerability

[Vincenzo D'Amore <v....@gmail.com>]

When start Solr add to your env:

SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"

On Tue, Dec 14, 2021 at 4:07 PM Andy Lester <an...@petdance.com> wrote:

>
>
> > On Dec 14, 2021, at 9:00 AM, Manisha Rahatadkar
> <Ma...@AnjuSoftware.com> wrote:
> >
> > We are using  Apache Solr 7.7.0, 8.7 and 8.9 on Windows and Linux
> environment. What mitigation option do we need to take for this
> vulnerability?
>
>
>
> https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228



-- 
Vincenzo D'Amore

Re: Question Apache Solr 7.7.0, 8.7 and 8.9 - log4j vulnerability

[Andy Lester <an...@petdance.com>]

> On Dec 14, 2021, at 9:00 AM, Manisha Rahatadkar <Ma...@AnjuSoftware.com> wrote:
> 
> We are using  Apache Solr 7.7.0, 8.7 and 8.9 on Windows and Linux environment. What mitigation option do we need to take for this vulnerability?


https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228

Re: Question Apache Solr 7.7.0, 8.7 and 8.9 - log4j vulnerability

[Mike Drob <md...@mdrob.com>]

You can download log4j at https://logging.apache.org/log4j/2.x/download.html

When replacing the jar files, you will also need to restart your services.

On Tue, Dec 14, 2021 at 9:30 AM Manisha Rahatadkar <
Manisha.Rahatadkar@anjusoftware.com> wrote:

> Hello all
>
>
>
> We are using  Apache Solr 7.7.0, 8.7 and 8.9 on Windows and Linux
> environment. What mitigation option do we need to take for this
> vulnerability?
>
> Where to get the log4j2? Can we just replace the log4j* files in
> solr-8.7.0\server\lib\ext folder? Will it work?
>
>
>
> https://solr.apache.org/security.html
>
>
>
>
>
> Thank you in advance.
>
>
>
> Regards
>
> Manisha
>
>
>
>
>
> *Confidentiality Notice ==================== This email message, including
> any attachments, is for the sole use of the intended recipient and may
> contain confidential and privileged information. Any unauthorized view,
> use, disclosure or distribution is prohibited. If you are not the intended
> recipient, please contact the sender by reply email and destroy all copies
> of the original message. Anju Software, Inc. 4500 S. Lakeshore Drive, Suite
> 620, Tempe, AZ USA 85282.*
>

RE: Question Apache Solr 7.7.0, 8.7 and 8.9 - log4j vulnerability

[Manisha Rahatadkar <Ma...@AnjuSoftware.com>]

Hello all

We are using  Apache Solr 7.7.0, 8.7 and 8.9 on Windows and Linux environment. What mitigation option do we need to take for this vulnerability?
Where to get the log4j2? Can we just replace the log4j* files in solr-8.7.0\server\lib\ext folder? Will it work?

https://solr.apache.org/security.html

[cid:image001.png@01D7F0CC.79E0F6E0]

Thank you in advance.

Regards
Manisha


Confidentiality Notice
====================
This email message, including any attachments, is for the sole use of the intended recipient and may contain confidential and privileged information. Any unauthorized view, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Anju Software, Inc. 4500 S. Lakeshore Drive, Suite 620, Tempe, AZ USA 85282.