You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@solr.apache.org by "Balabag, Jonathan" <jo...@accenture.com.INVALID> on 2021/12/29 18:38:34 UTC

SOLR's Log4j 1.2 CVE-2021-4104 Vulnerability

Hi,

Good day!

I'm a software developer from Accenture that supports one of their AEM projects that bundles the SOLR software.
The reason why I'm writing this letter to you because I want to ask for an advice about the controversial CVE-2021-4104<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-4104> vulnerability.
Currently our project is being scanned vulnerable because it is using Log4j 1.2 even we had already applied the mitigation by removing JMSAppender from the jar file and not setting as default appender.

Can you confirm if the mitigation is enough to avoid such vulnerability?

Thank you and looking forward to your reply.

Best regards,

Jon
JONATHAN M. BALABAG
Accenture Advanced Technology Centers in the Philippines
AICPA AO - AEM
Global One Building, Eastwood City,
Direct Line: +63 2 580 5888
Email: jonathan.balabag@accenture.com<ma...@accenture.com>
Accenture Confidential

________________________________

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
______________________________________________________________________________________

www.accenture.com

Re: SOLR's Log4j 1.2 CVE-2021-4104 Vulnerability

Posted by Shawn Heisey <ap...@elyograg.org>.

On 12/29/2021 11:38 AM, Balabag, Jonathan wrote:
> Currently our project is being scanned vulnerable because it is using Log4j 1.2 even we had already applied the mitigation by removing JMSAppender from the jar file and not setting as default appender.
> 
> Can you confirm if the mitigation is enough to avoid such vulnerability?

If the log4j config that Solr is using has not been changed to use the 
JMS Appender, then it is not affected by that vulnerability.  Removing 
the class entirely from the jar is additional assurance that you're OK.

Thanks,
Shawn