You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@solr.apache.org by us...@apache.org on 2021/12/15 20:23:00 UTC

[solr-site] branch main updated: Add a note about CVE-2021-45046 (#59)

This is an automated email from the ASF dual-hosted git repository.

uschindler pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr-site.git


The following commit(s) were added to refs/heads/main by this push:
     new 385a5df  Add a note about CVE-2021-45046 (#59)
385a5df is described below

commit 385a5dfe9126aeabc76445653b8b0bcbdd445caf
Author: Uwe Schindler <us...@apache.org>
AuthorDate: Wed Dec 15 21:22:55 2021 +0100

    Add a note about CVE-2021-45046 (#59)
---
 content/solr/security/2021-12-10-cve-2021-44228.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/content/solr/security/2021-12-10-cve-2021-44228.md b/content/solr/security/2021-12-10-cve-2021-44228.md
index 6b5ecf9..daddf1a 100644
--- a/content/solr/security/2021-12-10-cve-2021-44228.md
+++ b/content/solr/security/2021-12-10-cve-2021-44228.md
@@ -15,10 +15,14 @@ Apache Solr releases prior to 7.4 (i.e. Solr 5, Solr 6, and Solr 7 through 7.3)
 
 Solr's Prometheus Exporter uses Log4J as well but it does not log user input or data, so we don't see a risk there.
 
+Apache Solr releases are *not* vulnerable to the followup CVE-2021-45046, because the MDC patterns used by Solr are for the
+collection, shard, replica, core and node names, and a potential trace id, which are all sanitized. Passing system property
+`log4j2.formatMsgNoLookups=true` (as described below) is suitable to mitigate.
+
 **Mitigation:**
 Any of the following are enough to prevent this vulnerability for Solr servers:
 
-* Upgrade to `Solr 8.11.1` or greater (when available), which will include an updated version of the Log4J dependency.
+* Upgrade to `Solr 8.11.1` or greater (when available), which will include an updated version (`>= 2.16.0`) of the Log4J dependency.
 * If you are using Solr's official docker image, it has already been mitigated in all versions listed as supported on Docker Hub: <https://hub.docker.com/_/solr>.  You may need to re-pull the image.
 * Manually update the version of Log4J on your runtime classpath and restart your Solr application.
 * (Linux/MacOS) Edit your `solr.in.sh` file to include: