[solr-site] branch main updated: Add note about CVE-2021-45105 (#61)

[us...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

uschindler pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr-site.git


The following commit(s) were added to refs/heads/main by this push:
     new e10a6a9  Add note about CVE-2021-45105 (#61)
e10a6a9 is described below

commit e10a6a9fe0eed8dcba3ad1a076c8208e014e76ff
Author: Uwe Schindler <us...@apache.org>
AuthorDate: Sat Dec 18 13:06:14 2021 +0100

    Add note about CVE-2021-45105 (#61)
---
 content/solr/security/2021-12-10-cve-2021-44228.md | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/content/solr/security/2021-12-10-cve-2021-44228.md b/content/solr/security/2021-12-10-cve-2021-44228.md
index daddf1a..98a75e7 100644
--- a/content/solr/security/2021-12-10-cve-2021-44228.md
+++ b/content/solr/security/2021-12-10-cve-2021-44228.md
@@ -15,9 +15,10 @@ Apache Solr releases prior to 7.4 (i.e. Solr 5, Solr 6, and Solr 7 through 7.3)
 
 Solr's Prometheus Exporter uses Log4J as well but it does not log user input or data, so we don't see a risk there.
 
-Apache Solr releases are *not* vulnerable to the followup CVE-2021-45046, because the MDC patterns used by Solr are for the
-collection, shard, replica, core and node names, and a potential trace id, which are all sanitized. Passing system property
-`log4j2.formatMsgNoLookups=true` (as described below) is suitable to mitigate.
+Apache Solr releases are *not* vulnerable to the followup **CVE-2021-45046** and **CVE-2021-45105**, because the MDC patterns used by Solr
+are for the collection, shard, replica, core and node names, and a potential trace id, which are all sanitized
+and injected into log files with "`%X`". Passing system property `log4j2.formatMsgNoLookups=true` (as described below)
+is suitable to mitigate.
 
 **Mitigation:**
 Any of the following are enough to prevent this vulnerability for Solr servers: