Re: Log4J DoS Vulnerability: CVE-2021-45105

2022-02-24 Thread André Widhani 
Please see https://solr.apache.org/security.html
[https://solr.apache.org/theme/images/solr_og_image.png?v=4dd59757]
Solr™ Security News - Apache Solr
Solr ™ Security News¶ How to report a security issue. If you believe you have 
discovered a vulnerability in Solr, you may first want to consult the list of 
known false positives to make sure you are reporting a real vulnerability. Then 
please disclose responsibly by following these ASF guidelines for reporting.. 
You may file your request by email to secur...@solr.apache.org.
solr.apache.org
To quote from there:

| Solr is not vulnerable to the followup CVE-2021-45046 and CVE-2021-45105.


From: Ramila Herath 
Sent: Thursday, 24 February 2022 05:25
To: users@solr.apache.org 
Subject: Log4J DoS Vulnerability: CVE-2021-45105


External e-mail.


Hi;



Can this vulnerability to exploited in Solr 8.11.1? solr 8.11.1 has log4j 2.16 
but I couldn’t find a log4j.properties files in the distribution setting a 
non-default layout pattern (with or without context lookup). Any idea when Solr 
would do a release with log4j 2.17.1?



Thanks in advance



Regards,



Ramila Herath (he/him)

Senior Software Architect | Experience Framework



[cid:image001.png@01D82964.AFCDACF0]

+94 11 236 44 00
18th Floor, Orion Towers,
736, Dr. Danister De Silva Mawatha, Colombo 00900, SRI LANKA



[cid:image002.png@01D82964.AFCDACF0]
  [cid:image003.png@01D82964.AFCDACF0] 

   [A close up of a sign  Description automatically generated] 

   [cid:image005.png@01D82964.AFCDACF0] 



[A picture containing graphical user interface  Description automatically 
generated]
 [A picture containing shape  Description automatically generated] 


IFS World Operations AB is a private liability company registered in Sweden.
Corporate identity number: 556040-6042.
Registered office: Tek

Facing Solr Issue - enable LTR on our instance of SOLR 8.1

2022-02-24 Thread Shailesh Randive 
Hello,

We have enable LTR on our instance of SOLR 8.1 .
I have uploaded one catalog on local system and our QA environment and followed 
the standard process for enabling the feature on QA.

We have followed below link for configuration:
https://solr.apache.org/guide/8_1/learning-to-rank.html

When we ran LTR query on both environment we can see that the SOLR ranking and 
the sort order itself are different across the environments.

Please find attachment which highlights the score difference.

Can you please help us have uniform ranks/scores across the environments.

Re: Log4J DoS Vulnerability: CVE-2021-45105

2022-02-24 Thread Shawn Heisey 

On 2/23/2022 9:25 PM, Ramila Herath wrote:
Can this vulnerability to exploited in Solr 8.11.1? solr 8.11.1 has 
log4j 2.16 but I couldn’t find a log4j.properties files in the 
distribution setting a non-default layout pattern (with or without 
context lookup). Any idea when Solr would do a release with log4j 2.17.1?


As noted in another reply, Solr is not vulnerable to the problems fixed 
after log4j 2.16, as long as you do not change the logging 
configuration.  Because of that, it is likely that the first version of 
Solr with log4j 2.17.1 or later will be Solr 9.0.0.  The release process 
for 9.0.0 is underway now.  I do not have an ETA.


The log4j2 library does not use log4j.properties for configuration - 
that's used by log4j 1.x.  You'll find the logging config for Solr in a 
file named log4j2.xml.


Thanks,
Shawn