You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@solr.apache.org by "Heller, George A III CTR (USA)" <ge...@mail.mil.INVALID> on 2022/03/23 18:36:35 UTC
Solr 8.11.1 upgrading LOG4J from 2.16 to 2.17
I have seen the emails about Solr not being affected by the DoS vulnerability associated by LOG4J 2.16, but SOLR failed a security scan because of it and the bosses want it upgraded.
Can someone tell me where I can download an upgrade or patch for LOG4J and instructions on how to implement it?
Thanks,
George
Re: [URL Verdict: Neutral][Non-DoD Source] Re: Solr 8.11.1 upgrading LOG4J from 2.16 to 2.17
Posted by Shawn Heisey <ap...@elyograg.org>.
On 3/24/22 09:38, Heller, George A III CTR (USA) wrote:
> BTW, Do you know of anything other than nssm or AlwaysUp that would create a Windows service to start Solr when the server is rebooted?
>
> NSSM failed our security scan and not sure if cheap bosses want to pay the small fee for AlwaysUp.
My honest opinion for how you can best deal with a Windows server?
Don't run Windows. Put the workload onto one of the open source
operating systems. I use Linux, but there also other choices.
Since you're probably in a situation where you can't follow that
advice... NSSM is what I've seen used quite a bit. Apache has a
project that I think will work as well.
https://commons.apache.org/proper/commons-daemon/procrun.html
I found a number of resources with "run java application as a service on
windows" as a google search.
I couldn't find any mention of a confirmed vulnerability in NSSM. I did
find something about a vulnerability in the CouchDB installer related to
installing NSSM but I haven't yet found anything for NSSM itself.
Thanks,
Shawn
RE: [URL Verdict: Neutral][Non-DoD Source] Re: Solr 8.11.1 upgrading LOG4J from 2.16 to 2.17
Posted by "Heller, George A III CTR (USA)" <ge...@mail.mil.INVALID>.
Thanks for helpful info. I did notice there was no equivalent for log4j-layout-template-json-2.16.0.
We have changed the query return from XML to JSON, but have done nothing to the logging.
I will implement this solution after lunch and test it(make sure solr runs and populates the logs).
BTW, Do you know of anything other than nssm or AlwaysUp that would create a Windows service to start Solr when the server is rebooted?
NSSM failed our security scan and not sure if cheap bosses want to pay the small fee for AlwaysUp.
Thanks Again for Your Helpful Info,
George
-----Original Message-----
From: Shawn Heisey <ap...@elyograg.org>
Sent: Wednesday, March 23, 2022 10:55 PM
To: users@solr.apache.org
Subject: [URL Verdict: Neutral][Non-DoD Source] Re: Solr 8.11.1 upgrading LOG4J from 2.16 to 2.17
All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.
----
On 3/23/2022 12:36 PM, Heller, George A III CTR (USA) wrote:
> Can someone tell me where I can download an upgrade or patch for LOG4J
> and instructions on how to implement it?
Did you try googling? Because if I enter "log4j download" (minus the
quotes) into Google, the first hit looks like it is exactly what you want. You'll want the "binary" download, either .tar.gz or .zip format.
As for what to do with it once you download it, just find all the log4j jars in your Solr directory and replace them with jars from the log4j archive that have the same names and different version numbers. There has been a fair amount of user testing and we have determined that this is a safe operation, as long as you don't leave some jars at a different version than the rest. The log4j public API is very stable, which is why this is safe to do, but I have no idea how stable their internal APIs are.
Depending on the exact Solr version you have, you may have a jar that starts with "log4j-layout-template-json" ... this jar won't be in the log4j download. If you have not changed Solr's logging configuration so that it outputs JSON formatted logs, you can safely delete this one jar. If you actually need an upgraded version of that jar, you can find it on Maven Central.
Caution-https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-layout-template-json/2.17.2/log4j-layout-template-json-2.17.2.jar
Thanks,
Shawn
h ttps://lmgtfy.app/?q=log4j+download
Re: Solr 8.11.1 upgrading LOG4J from 2.16 to 2.17
Posted by Shawn Heisey <ap...@elyograg.org>.
On 3/23/2022 12:36 PM, Heller, George A III CTR (USA) wrote:
> Can someone tell me where I can download an upgrade or patch for LOG4J
> and instructions on how to implement it?
Did you try googling? Because if I enter "log4j download" (minus the
quotes) into Google, the first hit looks like it is exactly what you
want. You'll want the "binary" download, either .tar.gz or .zip format.
As for what to do with it once you download it, just find all the log4j
jars in your Solr directory and replace them with jars from the log4j
archive that have the same names and different version numbers. There
has been a fair amount of user testing and we have determined that this
is a safe operation, as long as you don't leave some jars at a different
version than the rest. The log4j public API is very stable, which is
why this is safe to do, but I have no idea how stable their internal
APIs are.
Depending on the exact Solr version you have, you may have a jar that
starts with "log4j-layout-template-json" ... this jar won't be in the
log4j download. If you have not changed Solr's logging configuration so
that it outputs JSON formatted logs, you can safely delete this one
jar. If you actually need an upgraded version of that jar, you can find
it on Maven Central.
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-layout-template-json/2.17.2/log4j-layout-template-json-2.17.2.jar
Thanks,
Shawn
h ttps://lmgtfy.app/?q=log4j+download
Re: [URL Verdict: Neutral][Non-DoD Source] Re: Solr 8.11.1 upgrading LOG4J from 2.16 to 2.17
Posted by matthew sporleder <ms...@gmail.com>.
You need to manage your risk in that case --
Which is worse? a potential log4j vulnerability, your own "hacked" solr
war, deploying a pre-release, or delaying the prod rollout?
Will your security scan team allow you to give a mitigation plan and a
timeline for a prod upgrade?
On Thu, Mar 24, 2022 at 8:33 AM Heller, George A III CTR (USA)
<ge...@mail.mil.invalid> wrote:
> What happens if we need to deploy to production before 8.11.2 is released?
>
> -----Original Message-----
> From: Houston Putman <ho...@apache.org>
> Sent: Wednesday, March 23, 2022 7:15 PM
> To: users@solr.apache.org
> Subject: [URL Verdict: Neutral][Non-DoD Source] Re: Solr 8.11.1 upgrading
> LOG4J from 2.16 to 2.17
>
> All active links contained in this email were disabled. Please verify the
> identity of the sender, and confirm the authenticity of all links contained
> within the message prior to copying and pasting the address to a Web
> browser.
>
>
>
>
> ----
>
> Please do not create another JIRA, it is already committed, just waiting
> on the 8.11.2 release.
>
> Caution-https://issues.apache.org/jira/browse/SOLR-15871
>
> The suggestion across multiple threads in the users list has been to
> remove the log4j jar, and replace it with the 2.17.1 jar, which will pass
> security checks.
>
> On Wed, Mar 23, 2022 at 5:53 PM Ishan Chattopadhyaya <
> ichattopadhyaya@gmail.com> wrote:
>
> > And feel free to open a new JIRA for this log4j upgrade, it will get
> > picked up in 8.11.2 (whenever someone gets time to release it).
> >
> > On Thu, Mar 24, 2022 at 3:18 AM Ishan Chattopadhyaya <
> > ichattopadhyaya@gmail.com> wrote:
> >
> > > Here's the issue where Log4J was upgraded. You can look at the pull
> > > request there to find out what you need to change. After that, you
> > > can build your own Solr binaries for your use (fix in
> > > github.com/apache/lucene-solr's branch_8_11 and build using "ant
> > > ivy-bootstrap; cd solr; ant package" which will generate a .tgz file).
> > > Caution-https://issues.apache.org/jira/browse/SOLR-15843
> > >
> > > On Thu, Mar 24, 2022 at 12:42 AM Andy Lester <an...@petdance.com>
> wrote:
> > >
> > >> Go to the Caution-https://solr.apache.org/security.html URL and you
> > >> will find instructions there on what to do.
> > >>
> > >> Andy
> > >
> > >
> >
>
RE: [URL Verdict: Neutral][Non-DoD Source] Re: Solr 8.11.1 upgrading LOG4J from 2.16 to 2.17
Posted by "Heller, George A III CTR (USA)" <ge...@mail.mil.INVALID>.
What happens if we need to deploy to production before 8.11.2 is released?
-----Original Message-----
From: Houston Putman <ho...@apache.org>
Sent: Wednesday, March 23, 2022 7:15 PM
To: users@solr.apache.org
Subject: [URL Verdict: Neutral][Non-DoD Source] Re: Solr 8.11.1 upgrading LOG4J from 2.16 to 2.17
All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.
----
Please do not create another JIRA, it is already committed, just waiting on the 8.11.2 release.
Caution-https://issues.apache.org/jira/browse/SOLR-15871
The suggestion across multiple threads in the users list has been to remove the log4j jar, and replace it with the 2.17.1 jar, which will pass security checks.
On Wed, Mar 23, 2022 at 5:53 PM Ishan Chattopadhyaya < ichattopadhyaya@gmail.com> wrote:
> And feel free to open a new JIRA for this log4j upgrade, it will get
> picked up in 8.11.2 (whenever someone gets time to release it).
>
> On Thu, Mar 24, 2022 at 3:18 AM Ishan Chattopadhyaya <
> ichattopadhyaya@gmail.com> wrote:
>
> > Here's the issue where Log4J was upgraded. You can look at the pull
> > request there to find out what you need to change. After that, you
> > can build your own Solr binaries for your use (fix in
> > github.com/apache/lucene-solr's branch_8_11 and build using "ant
> > ivy-bootstrap; cd solr; ant package" which will generate a .tgz file).
> > Caution-https://issues.apache.org/jira/browse/SOLR-15843
> >
> > On Thu, Mar 24, 2022 at 12:42 AM Andy Lester <an...@petdance.com> wrote:
> >
> >> Go to the Caution-https://solr.apache.org/security.html URL and you
> >> will find instructions there on what to do.
> >>
> >> Andy
> >
> >
>
Re: Solr 8.11.1 upgrading LOG4J from 2.16 to 2.17
Posted by Houston Putman <ho...@apache.org>.
Please do not create another JIRA, it is already committed, just waiting on
the 8.11.2 release.
https://issues.apache.org/jira/browse/SOLR-15871
The suggestion across multiple threads in the users list has been to remove
the log4j jar, and replace it with the 2.17.1 jar, which will pass security
checks.
On Wed, Mar 23, 2022 at 5:53 PM Ishan Chattopadhyaya <
ichattopadhyaya@gmail.com> wrote:
> And feel free to open a new JIRA for this log4j upgrade, it will get picked
> up in 8.11.2 (whenever someone gets time to release it).
>
> On Thu, Mar 24, 2022 at 3:18 AM Ishan Chattopadhyaya <
> ichattopadhyaya@gmail.com> wrote:
>
> > Here's the issue where Log4J was upgraded. You can look at the pull
> > request there to find out what you need to change. After that, you can
> > build your own Solr binaries for your use (fix in
> > github.com/apache/lucene-solr's branch_8_11 and build using "ant
> > ivy-bootstrap; cd solr; ant package" which will generate a .tgz file).
> > https://issues.apache.org/jira/browse/SOLR-15843
> >
> > On Thu, Mar 24, 2022 at 12:42 AM Andy Lester <an...@petdance.com> wrote:
> >
> >> Go to the https://solr.apache.org/security.html URL and you will find
> >> instructions there on what to do.
> >>
> >> Andy
> >
> >
>
Re: Solr 8.11.1 upgrading LOG4J from 2.16 to 2.17
Posted by Ishan Chattopadhyaya <ic...@gmail.com>.
And feel free to open a new JIRA for this log4j upgrade, it will get picked
up in 8.11.2 (whenever someone gets time to release it).
On Thu, Mar 24, 2022 at 3:18 AM Ishan Chattopadhyaya <
ichattopadhyaya@gmail.com> wrote:
> Here's the issue where Log4J was upgraded. You can look at the pull
> request there to find out what you need to change. After that, you can
> build your own Solr binaries for your use (fix in
> github.com/apache/lucene-solr's branch_8_11 and build using "ant
> ivy-bootstrap; cd solr; ant package" which will generate a .tgz file).
> https://issues.apache.org/jira/browse/SOLR-15843
>
> On Thu, Mar 24, 2022 at 12:42 AM Andy Lester <an...@petdance.com> wrote:
>
>> Go to the https://solr.apache.org/security.html URL and you will find
>> instructions there on what to do.
>>
>> Andy
>
>
Re: Solr 8.11.1 upgrading LOG4J from 2.16 to 2.17
Posted by Ishan Chattopadhyaya <ic...@gmail.com>.
Here's the issue where Log4J was upgraded. You can look at the pull request
there to find out what you need to change. After that, you can build your
own Solr binaries for your use (fix in github.com/apache/lucene-solr's
branch_8_11 and build using "ant ivy-bootstrap; cd solr; ant package" which
will generate a .tgz file).
https://issues.apache.org/jira/browse/SOLR-15843
On Thu, Mar 24, 2022 at 12:42 AM Andy Lester <an...@petdance.com> wrote:
> Go to the https://solr.apache.org/security.html URL and you will find
> instructions there on what to do.
>
> Andy
Re: Solr 8.11.1 upgrading LOG4J from 2.16 to 2.17
Posted by Andy Lester <an...@petdance.com>.
Go to the https://solr.apache.org/security.html URL and you will find instructions there on what to do.
Andy
RE: [URL Verdict: Neutral][Non-DoD Source] Re: Solr 8.11.1 upgrading LOG4J from 2.16 to 2.17
Posted by "Heller, George A III CTR (USA)" <ge...@mail.mil.INVALID>.
Whatever you sent got removed by our email filters. Can you please resend as text.
Thanks,
George
-----Original Message-----
From: Andy Lester <an...@petdance.com>
Sent: Wednesday, March 23, 2022 2:55 PM
To: users@solr.apache.org
Subject: [URL Verdict: Neutral][Non-DoD Source] Re: Solr 8.11.1 upgrading LOG4J from 2.16 to 2.17
All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.
----
> On Mar 23, 2022, at 1:36 PM, Heller, George A III CTR (USA) <ge...@mail.mil.INVALID> wrote:
>
> Can someone tell me where I can download an upgrade or patch for LOG4J and instructions on how to implement it?
>
See Caution-https://solr.apache.org/security.html
Re: Solr 8.11.1 upgrading LOG4J from 2.16 to 2.17
Posted by Andy Lester <an...@petdance.com>.
> On Mar 23, 2022, at 1:36 PM, Heller, George A III CTR (USA) <ge...@mail.mil.INVALID> wrote:
>
> Can someone tell me where I can download an upgrade or patch for LOG4J and instructions on how to implement it?
>
See https://solr.apache.org/security.html