[
https://issues.apache.org/jira/browse/SOLR-15843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459515#comment-17459515
]
Chris Troullis edited comment on SOLR-15843 at 12/14/21, 10:05 PM:
-------------------------------------------------------------------
Just a heads up regarding the notes here:
[https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228]
It now looks like [https://logging.apache.org/log4j/2.x/security.html] has been
updated to remove setting -Dlog4j2.formatMsgNoLookups=true as a recommended
mitigation measure. It is now listed in the history under the section for
"Older (discredited) mitigation measures". Apparently setting the property does
help eliminate the major attack vectors, but there are others that are not
mitigated by setting the property.
Not sure if these additional attack vectors are applicable to Solr or not, but
the page now states that "The safest thing to do is to upgrade Log4j to a safe
version, or remove the JndiLookup class from the log4j-core jar."
Again, not sure if this warrants updating the notes in the Solr CVE report,
just wanted to bring it to your attention. Setting the property still provides
protection, but seems like they are now saying that it may not provide complete
protection from all attack vectors
was (Author: ctroullis):
Just a heads up regarding the notes here:
[https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228]
It now looks like [https://logging.apache.org/log4j/2.x/security.html] has been
updated to remove setting -Dlog4j2.formatMsgNoLookups=true as a recommended
mitigation measure. It is now listed in the history under the section for
"Older (discredited) mitigation measures". Apparently setting the property does
help eliminate the major attack vectors, but there are others that are not
mitigated by setting the property.
Not sure if these additional attack vectors are applicable to Solr or not, but
the page now states that "The safest thing to do is to upgrade Log4j to a safe
version, or remove the JndiLookup class from the log4j-core jar."
Again, not sure if this warrants updating the notes in the Solr CVE report,
just wanted to bring it to your attention. Setting the property still provides
protection, but seems like they are now saying that it may not provide complete
protection
> Update Log4J dependency
> -----------------------
>
> Key: SOLR-15843
> URL: https://issues.apache.org/jira/browse/SOLR-15843
> Project: Solr
> Issue Type: Task
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Mike Drob
> Assignee: Mike Drob
> Priority: Critical
> Fix For: 9.0, 8.11.1
>
> Time Spent: 4h 50m
> Remaining Estimate: 0h
>
> Log4j 2.15 is about to be released, we should update when it is available.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
