In case anyone wants to patch 7.7.3 from source, here's a patch and
quick build instructions:
Apply the attached patch -- hopefully the mailing list won't nerf the
attachment.
git am < /path/to/CVE-2021-4422.txt
ant clean compile jar -Dversion=7.7.3
cd solr
ant package -Dversion=7.7.3
- Br
Thanks again!
I also added more detail on the impact to log4j 1 to the announcement text
On Fri, Dec 10, 2021 at 4:32 PM Andy C wrote:
> Mike,
>
> I see that the "Versions Affected" statement has been updated, but further
> down it still states "Apache Solr releases prior to 7.0 (i.e. all Solr
Mike,
I see that the "Versions Affected" statement has been updated, but further
down it still states "Apache Solr releases prior to 7.0 (i.e. all Solr 5
and Solr 6 releases) use log4j 1.2.17".
7.0 should be updated to 7.4.
- Andy -
On Fri, Dec 10, 2021 at 5:10 PM Mike Drob wrote:
> Andy - yo
Andy - you are correct, we will update the notice on the site. Thank you
for checking the details.
On Fri, Dec 10, 2021 at 4:08 PM Andy C wrote:
> The statement on the https://solr.apache.org/security.html page states
> that
> all 7.X and all 8.X versions are vulnerable, however looking at my 7.
The statement on the https://solr.apache.org/security.html page states that
all 7.X and all 8.X versions are vulnerable, however looking at my 7.3.1
Solr instance I am still finding the 1.2.17 version of the log4j jar.
I found https://issues.apache.org/jira/browse/SOLR-7887 which indicates
that th
Thanks again Mike!
Do you perhaps have an example of a lookup capable appender for log4j
v1.2? I have only found lookups for 2.x
https://logging.apache.org/log4j/2.x/manual/lookups.html.
I am only using two types of appenders for v1.2:
org.apache.log4j.ConsoleAppender
org.apache.log4j.
If you are opting in to using a lookup capable appender then you are
vulnerable. I don’t have a POC for testing it, but generally you’d only be
affected if you’re using this functionality explicitly
On Fri, Dec 10, 2021 at 3:21 PM mtn search wrote:
> Thanks for the information Mike!
>
> I notice
Unless other attack vectors are found, which are now noted in that same
section if you are running through Tomcat.
On 12/10/21 2:22 PM, Rahul Goswami wrote:
In addition to the mitigation strategies mentioned on the Solr page, the
below blog post indicates that you should be protected if you are
Thanks for the information Mike!
I noticed that on https://solr.apache.org/security.html it lists the
following statement for Solr releases prior to 7:
Apache Solr releases prior to 7.0 (i.e. all Solr 5 and Solr 6 releases) use
log4j 1.2.17 which may be vulnerable for installations using non-defa
In addition to the mitigation strategies mentioned on the Solr page, the
below blog post indicates that you should be protected if you are using
Java 11.0.1 and up
https://www.lunasec.io/docs/blog/log4j-zero-day/
On Fri, Dec 10, 2021 at 3:07 PM Mike Drob wrote:
> Solr is affected. Please see th
Solr is affected. Please see the statement at the
https://solr.apache.org/security.html page
On Fri, Dec 10, 2021 at 12:44 PM Walter Underwood
wrote:
> Does all Solr logging go through slf4j? If so, that should protect against
> this vulnerability.
>
> If not, who has tested Solr with log4j 2.15
11 matches
Mail list logo
