You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@solr.apache.org by ds...@apache.org on 2021/12/23 13:50:35 UTC

[solr-site] branch main updated: Log4shell: Justify log4j2.formatMsgNoLookups (#62)

This is an automated email from the ASF dual-hosted git repository.

dsmiley pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr-site.git


The following commit(s) were added to refs/heads/main by this push:
     new 187807e  Log4shell: Justify log4j2.formatMsgNoLookups (#62)
187807e is described below

commit 187807ec46bead6d18759cf51d5a4dbde55fcab5
Author: David Smiley <ds...@apache.org>
AuthorDate: Thu Dec 23 08:50:28 2021 -0500

    Log4shell: Justify log4j2.formatMsgNoLookups (#62)
    
    and refer to the Wiki for some more explanations.
---
 content/solr/security/2021-12-10-cve-2021-44228.md | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/content/solr/security/2021-12-10-cve-2021-44228.md b/content/solr/security/2021-12-10-cve-2021-44228.md
index 98a75e7..71fad62 100644
--- a/content/solr/security/2021-12-10-cve-2021-44228.md
+++ b/content/solr/security/2021-12-10-cve-2021-44228.md
@@ -15,10 +15,7 @@ Apache Solr releases prior to 7.4 (i.e. Solr 5, Solr 6, and Solr 7 through 7.3)
 
 Solr's Prometheus Exporter uses Log4J as well but it does not log user input or data, so we don't see a risk there.
 
-Apache Solr releases are *not* vulnerable to the followup **CVE-2021-45046** and **CVE-2021-45105**, because the MDC patterns used by Solr
-are for the collection, shard, replica, core and node names, and a potential trace id, which are all sanitized
-and injected into log files with "`%X`". Passing system property `log4j2.formatMsgNoLookups=true` (as described below)
-is suitable to mitigate.
+Solr is *not* vulnerable to the followup **CVE-2021-45046** and **CVE-2021-45105**.  A listing of these and other CVEs with some justifications are listed in Solr's wiki: https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools
 
 **Mitigation:**
 Any of the following are enough to prevent this vulnerability for Solr servers:
@@ -32,5 +29,9 @@ Any of the following are enough to prevent this vulnerability for Solr servers:
   `set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true`
 * Follow any of the other mitgations listed at <https://logging.apache.org/log4j/2.x/security.html>
 
+The Log4J security page refers to setting `log4j2.formatMsgNoLookups=true` as a "discredited" mitigation.  In reality, it depends.
+We've looked at the root cause and audited the code paths that lead to the vulnerability, and we feel confident in this mitigation being sufficient for Solr.
+See <https://lists.apache.org/thread/kgh63sncrsm2bls884pg87mnt8vqztmz> for discussion.
+
 **References:**
 <https://logging.apache.org/log4j/2.x/security.html>