Does all Solr logging go through slf4j? If so, that should protect against this
vulnerability.
If not, who has tested Solr with log4j 2.15.1?
We are running 8.8.2.
wunder
Walter Underwood
wun...@wunderwood.org
http://observer.wunderwood.org/ (my blog)
Having a bit of weird issue.
We run a 4 node Solr Cloud , version 8.6.2 and for the most part it's been
going quite well for more than 2 years now. We have to restart them
occasionally to free up ram but I guess that's normal.
Last night one of the nodes went into swap, used up all memory
I managed to get it to start replicating the missing nodes, manually, using:
curl
"http://192.168.1.4:8983/solr/admin/collections?action=ADDREPLICA&collection=mycollection&shard=shard10&node=192.168.1.11:8983_solr";
Is it normal to have to tell it manually which replicas to host after such a
cr
Solr is affected. Please see the statement at the
https://solr.apache.org/security.html page
On Fri, Dec 10, 2021 at 12:44 PM Walter Underwood
wrote:
> Does all Solr logging go through slf4j? If so, that should protect against
> this vulnerability.
>
> If not, who has tested Solr with log4j 2.15
In addition to the mitigation strategies mentioned on the Solr page, the
below blog post indicates that you should be protected if you are using
Java 11.0.1 and up
https://www.lunasec.io/docs/blog/log4j-zero-day/
On Fri, Dec 10, 2021 at 3:07 PM Mike Drob wrote:
> Solr is affected. Please see th
Thanks for the information Mike!
I noticed that on https://solr.apache.org/security.html it lists the
following statement for Solr releases prior to 7:
Apache Solr releases prior to 7.0 (i.e. all Solr 5 and Solr 6 releases) use
log4j 1.2.17 which may be vulnerable for installations using non-defa
Unless other attack vectors are found, which are now noted in that same
section if you are running through Tomcat.
On 12/10/21 2:22 PM, Rahul Goswami wrote:
In addition to the mitigation strategies mentioned on the Solr page, the
below blog post indicates that you should be protected if you are
If you are opting in to using a lookup capable appender then you are
vulnerable. I don’t have a POC for testing it, but generally you’d only be
affected if you’re using this functionality explicitly
On Fri, Dec 10, 2021 at 3:21 PM mtn search wrote:
> Thanks for the information Mike!
>
> I notice
Thanks again Mike!
Do you perhaps have an example of a lookup capable appender for log4j
v1.2? I have only found lookups for 2.x
https://logging.apache.org/log4j/2.x/manual/lookups.html.
I am only using two types of appenders for v1.2:
org.apache.log4j.ConsoleAppender
org.apache.log4j.
The statement on the https://solr.apache.org/security.html page states that
all 7.X and all 8.X versions are vulnerable, however looking at my 7.3.1
Solr instance I am still finding the 1.2.17 version of the log4j jar.
I found https://issues.apache.org/jira/browse/SOLR-7887 which indicates
that th
Andy - you are correct, we will update the notice on the site. Thank you
for checking the details.
On Fri, Dec 10, 2021 at 4:08 PM Andy C wrote:
> The statement on the https://solr.apache.org/security.html page states
> that
> all 7.X and all 8.X versions are vulnerable, however looking at my 7.
Mike,
I see that the "Versions Affected" statement has been updated, but further
down it still states "Apache Solr releases prior to 7.0 (i.e. all Solr 5
and Solr 6 releases) use log4j 1.2.17".
7.0 should be updated to 7.4.
- Andy -
On Fri, Dec 10, 2021 at 5:10 PM Mike Drob wrote:
> Andy - yo
Thanks again!
I also added more detail on the impact to log4j 1 to the announcement text
On Fri, Dec 10, 2021 at 4:32 PM Andy C wrote:
> Mike,
>
> I see that the "Versions Affected" statement has been updated, but further
> down it still states "Apache Solr releases prior to 7.0 (i.e. all Solr
It looks like this affects Solr versions >= 7. Am I reading this correctly?
References:
https://www.lunasec.io/docs/blog/log4j-zero-day/
https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html
https://help.aliyun.com/noticelist/articleid/1060971232.html
I trust that by now you’ve seen the discussion earlier today on this mailing
list about it.
On 12/10/2021 12:38 PM, Scott wrote:
Having a bit of weird issue.
We run a 4 node Solr Cloud , version 8.6.2 and for the most part it's been
going quite well for more than 2 years now. We have to restart them
occasionally to free up ram but I guess that's normal.
If you have to restart becaus
16 matches
Mail list logo
