You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@solr.apache.org by gi...@apache.org on 2021/12/10 16:03:58 UTC
[solr-site] branch asf-staging updated: Automatic Site Publish by Buildbot
This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/solr-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new a7c7e56 Automatic Site Publish by Buildbot
a7c7e56 is described below
commit a7c7e5695a231d0a176e8302f833465a2fc44253
Author: buildbot <us...@infra.apache.org>
AuthorDate: Fri Dec 10 16:03:56 2021 +0000
Automatic Site Publish by Buildbot
---
output/feeds/all.atom.xml | 26 ++++++++++-
output/feeds/solr/security.atom.xml | 26 ++++++++++-
output/index.html | 2 +-
output/news.html | 22 ++++++++++
output/operator/index.html | 2 +-
output/security.html | 88 ++++++++++++-------------------------
6 files changed, 102 insertions(+), 64 deletions(-)
diff --git a/output/feeds/all.atom.xml b/output/feeds/all.atom.xml
index 6924341..2712442 100644
--- a/output/feeds/all.atom.xml
+++ b/output/feeds/all.atom.xml
@@ -1,5 +1,29 @@
<?xml version="1.0" encoding="utf-8"?>
-<feed xmlns="http://www.w3.org/2005/Atom"><title>Apache Solr</title><link href="/" rel="alternate"></link><link href="/feeds/all.atom.xml" rel="self"></link><id>/</id><updated>2021-11-16T00:00:00+00:00</updated><subtitle></subtitle><subtitle></subtitle><entry><title>Apache Solr Operator™ v0.5.0 available</title><link href="/apache-solr-operatortm-v050-available.html" rel="alternate"></link><published>2021-11-16T00:00:00+00:00</published><updated>2021-11-16T00:00:00+00:00</updated><author [...]
+<feed xmlns="http://www.w3.org/2005/Atom"><title>Apache Solr</title><link href="/" rel="alternate"></link><link href="/feeds/all.atom.xml" rel="self"></link><id>/</id><updated>2021-12-12T00:00:00+00:00</updated><subtitle></subtitle><subtitle></subtitle><entry><title>Apache Solr affected by Apache Log4J CVE-2021-44228: JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints</title><link href="/apache-solr-affected-by-apache-log4j-cve-2021-44228-jndi- [...]
+Critical</p>
+<p><strong>Versions Affected:</strong>
+7.0.0 to 7.7.3
+8.0.0 to 8.11.0</p>
+<p><strong>Description:</strong>
+Apache Solr releases prior to 8.11.1 were using a bundled version of the Apache Log4J library vulnerable to RCE. For full impact and additional detail consult the Log4J security …</p></summary><content type="html"><p><strong>Severity:</strong>
+Critical</p>
+<p><strong>Versions Affected:</strong>
+7.0.0 to 7.7.3
+8.0.0 to 8.11.0</p>
+<p><strong>Description:</strong>
+Apache Solr releases prior to 8.11.1 were using a bundled version of the Apache Log4J library vulnerable to RCE. For full impact and additional detail consult the Log4J security page.</p>
+<p>Apache Solr releases prior to 7.0 (i.e. all Solr 5 and Solr 6 releases) use log4j 1.2.17 which may be vulnerable for installations using non-default logging configurations. To determine you if you are vulnerable please consult the Log4J security page.</p>
+<p><strong>Mitigation:</strong>
+Any of the following are enough to prevent this vulnerability:</p>
+<ul>
+<li>Upgrade to <code>Solr 8.11.1</code> or greater (when available), which will include an updated version of the log4j2 dependancy.</li>
+<li>Manually update the version of log4j2 on your runtime classpath and restart your Solr application.</li>
+<li>(Linux/MacOS) Edit your <code>solr.in.sh</code> file to include <code>SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"</code></li>
+<li>(Windows) Edit your <code>solr.in.cmd</code> file to include <code>SOLR_OPTS="%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true"</code></li>
+<li>Follow any of the other mitgations listed at https://logging.apache.org/log4j/2.x/security.html</li>
+</ul>
+<p><strong>References:</strong>
+https://logging.apache.org/log4j/2.x/security.html</p></content><category term="solr/security"></category></entry><entry><title>Apache Solr Operator™ v0.5.0 available</title><link href="/apache-solr-operatortm-v050-available.html" rel="alternate"></link><published>2021-11-16T00:00:00+00:00</published><updated>2021-11-16T00:00:00+00:00</updated><author><name>Solr Developers</name></author><id>tag:None,2021-11-16:/apache-solr-operatortm-v050-available.html</id><summary type="html">&l [...]
<p>The Apache Solr Operator is a safe and easy way of managing a Solr ecosystem in Kubernetes.</p>
<p>This release contains numerous bug fixes, optimizations, and improvements, some of which are highlighted below …</p></summary><content type="html"><p>The Apache Solr PMC is pleased to announce the release of the Apache Solr Operator v0.5.0.</p>
<p>The Apache Solr Operator is a safe and easy way of managing a Solr ecosystem in Kubernetes.</p>
diff --git a/output/feeds/solr/security.atom.xml b/output/feeds/solr/security.atom.xml
index 5afbd1b..65adb76 100644
--- a/output/feeds/solr/security.atom.xml
+++ b/output/feeds/solr/security.atom.xml
@@ -1,5 +1,29 @@
<?xml version="1.0" encoding="utf-8"?>
-<feed xmlns="http://www.w3.org/2005/Atom"><title>Apache Solr - solr/security</title><link href="/" rel="alternate"></link><link href="/feeds/solr/security.atom.xml" rel="self"></link><id>/</id><updated>2021-04-12T00:00:00+00:00</updated><subtitle></subtitle><subtitle></subtitle><entry><title>CVE-2021-27905: SSRF vulnerability with the Replication handler</title><link href="/cve-2021-27905-ssrf-vulnerability-with-the-replication-handler.html" rel="alternate"></link><published>2021-04-12T0 [...]
+<feed xmlns="http://www.w3.org/2005/Atom"><title>Apache Solr - solr/security</title><link href="/" rel="alternate"></link><link href="/feeds/solr/security.atom.xml" rel="self"></link><id>/</id><updated>2021-12-12T00:00:00+00:00</updated><subtitle></subtitle><subtitle></subtitle><entry><title>Apache Solr affected by Apache Log4J CVE-2021-44228: JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints</title><link href="/apache-solr-affected-by-apache- [...]
+Critical</p>
+<p><strong>Versions Affected:</strong>
+7.0.0 to 7.7.3
+8.0.0 to 8.11.0</p>
+<p><strong>Description:</strong>
+Apache Solr releases prior to 8.11.1 were using a bundled version of the Apache Log4J library vulnerable to RCE. For full impact and additional detail consult the Log4J security …</p></summary><content type="html"><p><strong>Severity:</strong>
+Critical</p>
+<p><strong>Versions Affected:</strong>
+7.0.0 to 7.7.3
+8.0.0 to 8.11.0</p>
+<p><strong>Description:</strong>
+Apache Solr releases prior to 8.11.1 were using a bundled version of the Apache Log4J library vulnerable to RCE. For full impact and additional detail consult the Log4J security page.</p>
+<p>Apache Solr releases prior to 7.0 (i.e. all Solr 5 and Solr 6 releases) use log4j 1.2.17 which may be vulnerable for installations using non-default logging configurations. To determine you if you are vulnerable please consult the Log4J security page.</p>
+<p><strong>Mitigation:</strong>
+Any of the following are enough to prevent this vulnerability:</p>
+<ul>
+<li>Upgrade to <code>Solr 8.11.1</code> or greater (when available), which will include an updated version of the log4j2 dependancy.</li>
+<li>Manually update the version of log4j2 on your runtime classpath and restart your Solr application.</li>
+<li>(Linux/MacOS) Edit your <code>solr.in.sh</code> file to include <code>SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"</code></li>
+<li>(Windows) Edit your <code>solr.in.cmd</code> file to include <code>SOLR_OPTS="%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true"</code></li>
+<li>Follow any of the other mitgations listed at https://logging.apache.org/log4j/2.x/security.html</li>
+</ul>
+<p><strong>References:</strong>
+https://logging.apache.org/log4j/2.x/security.html</p></content><category term="solr/security"></category></entry><entry><title>CVE-2021-27905: SSRF vulnerability with the Replication handler</title><link href="/cve-2021-27905-ssrf-vulnerability-with-the-replication-handler.html" rel="alternate"></link><published>2021-04-12T00:00:00+00:00</published><updated>2021-04-12T00:00:00+00:00</updated><author><name>Solr Developers</name></author><id>tag:None,2021-04-12:/cve-2021-27905-ssrf- [...]
High</p>
<p><strong>Versions Affected:</strong>
7.0.0 to 7.7.3
diff --git a/output/index.html b/output/index.html
index 3b0f0b3..d82db50 100644
--- a/output/index.html
+++ b/output/index.html
@@ -112,7 +112,7 @@
</div>
<div class="header-fill"></div>
-<section class="security" latest-date="2021-04-12">
+<section class="security" latest-date="2021-12-12">
<div class="row">
<div class="large-12 columns text-center">
<h2><a href="security.html">⚠ There are recent security announcements. Read more on the Security page.</a></h2>
diff --git a/output/news.html b/output/news.html
index 6bdb6d4..b0e88c9 100644
--- a/output/news.html
+++ b/output/news.html
@@ -132,6 +132,28 @@
<h1 id="solr-news">Solr<sup>™</sup> News<a class="headerlink" href="#solr-news" title="Permanent link">¶</a></h1>
<p>You may also read these news as an <a href="/feeds/solr/news.atom.xml">ATOM feed</a>.</p>
+ <h2 id="apache-solr-affected-by-apache-log4j-cve-2021-44228-jndi-features-do-not-protect-against-attacker-controlled-ldap-and-other-jndi-related-endpoints">12 December 2021, Apache Solr affected by Apache Log4J CVE-2021-44228: JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints
+ <a class="headerlink" href="#apache-solr-affected-by-apache-log4j-cve-2021-44228-jndi-features-do-not-protect-against-attacker-controlled-ldap-and-other-jndi-related-endpoints" title="Permanent link">¶</a>
+ </h2>
+ <p><strong>Severity:</strong>
+Critical</p>
+<p><strong>Versions Affected:</strong>
+7.0.0 to 7.7.3
+8.0.0 to 8.11.0</p>
+<p><strong>Description:</strong>
+Apache Solr releases prior to 8.11.1 were using a bundled version of the Apache Log4J library vulnerable to RCE. For full impact and additional detail consult the Log4J security page.</p>
+<p>Apache Solr releases prior to 7.0 (i.e. all Solr 5 and Solr 6 releases) use log4j 1.2.17 which may be vulnerable for installations using non-default logging configurations. To determine you if you are vulnerable please consult the Log4J security page.</p>
+<p><strong>Mitigation:</strong>
+Any of the following are enough to prevent this vulnerability:</p>
+<ul>
+<li>Upgrade to <code>Solr 8.11.1</code> or greater (when available), which will include an updated version of the log4j2 dependancy.</li>
+<li>Manually update the version of log4j2 on your runtime classpath and restart your Solr application.</li>
+<li>(Linux/MacOS) Edit your <code>solr.in.sh</code> file to include <code>SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"</code></li>
+<li>(Windows) Edit your <code>solr.in.cmd</code> file to include <code>SOLR_OPTS="%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true"</code></li>
+<li>Follow any of the other mitgations listed at https://logging.apache.org/log4j/2.x/security.html</li>
+</ul>
+<p><strong>References:</strong>
+https://logging.apache.org/log4j/2.x/security.html</p>
<h2 id="apache-solrtm-8110-available">16 November 2021, Apache Solr™ 8.11.0 available
<a class="headerlink" href="#apache-solrtm-8110-available" title="Permanent link">¶</a>
</h2>
diff --git a/output/operator/index.html b/output/operator/index.html
index 0403326..5f3a3c0 100644
--- a/output/operator/index.html
+++ b/output/operator/index.html
@@ -107,7 +107,7 @@
</div>
<div class="header-fill"></div>
-<section class="security" latest-date="2021-04-12">
+<section class="security" latest-date="2021-12-12">
<div class="row">
<div class="large-12 columns text-center">
<h2><a href="/security.html">⚠ There are recent security announcements. Read more on the Solr Security page.</a></h2>
diff --git a/output/security.html b/output/security.html
index a173591..39f95f3 100644
--- a/output/security.html
+++ b/output/security.html
@@ -140,6 +140,11 @@ Then please disclose responsibly by following <a href="https://www.apache.org/se
<th>Announcement</th>
</tr>
<tr>
+ <td><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-44228">CVE-2021-44228</a></td>
+ <td>2021-12-12</td>
+ <td><a href="#apache-solr-affected-by-apache-log4j-cve-2021-44228-jndi-features-do-not-protect-against-attacker-controlled-ldap-and-other-jndi-related-endpoints">Apache Solr affected by Apache Log4J CVE-2021-44228: JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints</a></td>
+ </tr>
+ <tr>
<td><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-27905">CVE-2021-27905</a></td>
<td>2021-04-12</td>
<td><a href="#cve-2021-27905-ssrf-vulnerability-with-the-replication-handler">SSRF vulnerability with the Replication handler</a></td>
@@ -209,13 +214,31 @@ Then please disclose responsibly by following <a href="https://www.apache.org/se
<td>2017-10-26</td>
<td><a href="#cve-2016-6809-java-code-execution-for-serialized-objects-embedded-in-matlab-files-parsed-by-apache-solr-using-tika">Java code execution for serialized objects embedded in MATLAB files parsed by Apache Solr using Tika</a></td>
</tr>
- <tr>
- <td><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-9803">CVE-2017-9803</a></td>
- <td>2017-10-18</td>
- <td><a href="#several-critical-vulnerabilities-discovered-in-apache-solr-xxe-rce">Several critical vulnerabilities discovered in Apache Solr (XXE & RCE)</a></td>
- </tr>
</table>
+ <h2 id="apache-solr-affected-by-apache-log4j-cve-2021-44228-jndi-features-do-not-protect-against-attacker-controlled-ldap-and-other-jndi-related-endpoints">2021-12-12, Apache Solr affected by Apache Log4J CVE-2021-44228: JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints
+ <a class="headerlink" href="#apache-solr-affected-by-apache-log4j-cve-2021-44228-jndi-features-do-not-protect-against-attacker-controlled-ldap-and-other-jndi-related-endpoints" title="Permanent link">¶</a>
+ </h2>
+ <p><strong>Severity:</strong>
+Critical</p>
+<p><strong>Versions Affected:</strong>
+7.0.0 to 7.7.3
+8.0.0 to 8.11.0</p>
+<p><strong>Description:</strong>
+Apache Solr releases prior to 8.11.1 were using a bundled version of the Apache Log4J library vulnerable to RCE. For full impact and additional detail consult the Log4J security page.</p>
+<p>Apache Solr releases prior to 7.0 (i.e. all Solr 5 and Solr 6 releases) use log4j 1.2.17 which may be vulnerable for installations using non-default logging configurations. To determine you if you are vulnerable please consult the Log4J security page.</p>
+<p><strong>Mitigation:</strong>
+Any of the following are enough to prevent this vulnerability:</p>
+<ul>
+<li>Upgrade to <code>Solr 8.11.1</code> or greater (when available), which will include an updated version of the log4j2 dependancy.</li>
+<li>Manually update the version of log4j2 on your runtime classpath and restart your Solr application.</li>
+<li>(Linux/MacOS) Edit your <code>solr.in.sh</code> file to include <code>SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"</code></li>
+<li>(Windows) Edit your <code>solr.in.cmd</code> file to include <code>SOLR_OPTS="%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true"</code></li>
+<li>Follow any of the other mitgations listed at https://logging.apache.org/log4j/2.x/security.html</li>
+</ul>
+<p><strong>References:</strong>
+https://logging.apache.org/log4j/2.x/security.html</p>
+ <hr/>
<h2 id="cve-2021-27905-ssrf-vulnerability-with-the-replication-handler">2021-04-12, CVE-2021-27905: SSRF vulnerability with the Replication handler
<a class="headerlink" href="#cve-2021-27905-ssrf-vulnerability-with-the-replication-handler" title="Permanent link">¶</a>
</h2>
@@ -631,61 +654,6 @@ deserialisation support to protect against this vulnerability.</p>
<li><a href="https://cwiki.apache.org/confluence/display/solr/SolrSecurity">https://cwiki.apache.org/confluence/display/solr/SolrSecurity</a></li>
</ul>
<hr/>
- <h2 id="several-critical-vulnerabilities-discovered-in-apache-solr-xxe-rce">2017-10-18, Several critical vulnerabilities discovered in Apache Solr (XXE & RCE)
- <a class="headerlink" href="#several-critical-vulnerabilities-discovered-in-apache-solr-xxe-rce" title="Permanent link">¶</a>
- </h2>
- <p><strong>Severity:</strong><br>
-Critical</p>
-<p><strong>Vendor:</strong><br>
-The Apache Software Foundation</p>
-<p><strong>Versions Affected:</strong> </p>
-<ul>
-<li>Solr 5.5.0 to 5.5.4</li>
-<li>Solr 6.0.0 to 6.6.1</li>
-<li>Solr 7.0.0 to 7.0.1</li>
-</ul>
-<p><strong>Description:</strong><br>
-The details of this vulnerability were reported on public mailing
-lists. See https://s.apache.org/FJDl</p>
-<p>The first vulnerability relates to XML external entity expansion in
-the XML Query Parser which is available, by default, for any query
-request with parameters deftype=xmlparser. This can be exploited to
-upload malicious data to the /upload request handler. It can also be
-used as Blind XXE using ftp wrapper in order to read arbitrary local
-files from the solr server.</p>
-<p>The second vulnerability relates to remote code execution using the
-RunExecutableListener available on all affected versions of Solr.</p>
-<p>At the time of the above report, this was a 0-day vulnerability with a
-working exploit affecting the versions of Solr mentioned in the
-previous section. However, mitigation steps were announced to protect
-Solr users the same day. See
-https://solr.apache.org/news.html#12-october-2017-please-secure-your-apache-solr-servers-since-a-zero-day-exploit-has-been-reported-on-a-public-mailing-list</p>
-<p><strong>Mitigation:</strong><br>
-Users are advised to upgrade to either Solr 6.6.2 or Solr 7.1.0
-releases both of which address the two vulnerabilities. Once upgrade is
-complete, no other steps are required.</p>
-<p>If users are unable to upgrade to Solr 6.6.2 or Solr 7.1.0 then they
-are advised to restart their Solr instances with the system parameter
-<code>-Ddisable.configEdit=true</code>. This will disallow any changes to be made
-to your configurations via the Config API. This is a key factor in
-this vulnerability, since it allows GET requests to add the
-RunExecutableListener to your config. Users are also advised to re-map
-the XML Query Parser to another parser to mitigate the XXE
-vulnerability. For example, adding the following to the solrconfig.xml
-file re-maps the xmlparser to the edismax parser:
-<code><queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin"/></code></p>
-<p><strong>Credit:</strong> </p>
-<ul>
-<li>Michael Stepankin (JPMorgan Chase)</li>
-<li>Olga Barinova (Gotham Digital Science)</li>
-</ul>
-<p><strong>References:</strong> </p>
-<ul>
-<li><a href="https://issues.apache.org/jira/browse/SOLR-11482">https://issues.apache.org/jira/browse/SOLR-11482</a></li>
-<li><a href="https://issues.apache.org/jira/browse/SOLR-11477">https://issues.apache.org/jira/browse/SOLR-11477</a></li>
-<li><a href="https://cwiki.apache.org/confluence/display/solr/SolrSecurity">https://cwiki.apache.org/confluence/display/solr/SolrSecurity</a></li>
-</ul>
- <hr/>
</div>
</div>
</div>