Re: Solr and CVE-2021-44228

In case anyone wants to patch 7.7.3 from source, here's a patch and quick build instructions: Apply the attached patch -- hopefully the mailing list won't nerf the attachment. git am < /path/to/CVE-2021-4422.txt ant clean compile jar -Dversion=7.7.3 cd solr ant package -Dversion=7.7.3 - Br

Update Log4J library version for Solr 6.6.3

Hi All, Currently Solr version 6.6.3 are using log4j library with version 1.2.17. If we plan to update the log4j library version to 2.15 due the log4j library is end of support. May we check that Solr 6.6.3 able to support it? Additional advice will be appreciated. Thank you. Regards, Yoon W

Re: Update Log4J library version for Solr 6.6.3

Log4j2 is not a simple upgrade of log4j(1), in fact, it is a completely new library. Although I'm not 100% sure about how Solr uses log4j, in most cases it is not a simple plug and play. If you are concerned about the 0-day vulnerability, see the link below. >From my understanding, the vulnerabi

RE: Solr Cloud Node re-join issue

Thanks Shawn. Most people I talked to sort of acknowledged that restarting SOLR every month or so is a given, but your comments are encouraging. These nodes have 32Gb of ram: real memory = 34359738368 (32768 MB) avail memory = 33370628096 (31824 MB) and here's what I have in my solr config SO

Re: Solr Cloud Node re-join issue

On 12/11/2021 8:39 AM, Scott wrote: Thanks Shawn. Most people I talked to sort of acknowledged that restarting SOLR every month or so is a given, but your comments are encouraging. These nodes have 32Gb of ram: real memory = 34359738368 (32768 MB) avail memory = 33370628096 (31824 MB) and he

Re: Update Log4J library version for Solr 6.6.3

log4j 1.x does not have the vulnerability, so you do not need to patch 6.6.3. If you want a current, non-vulnerable log4j library, you will need to upgrade to Solr 8.11.1. wunder Walter Underwood wun...@wunderwood.org http://observer.wunderwood.org/ (my blog) > On Dec 11, 2021, at 3:34 AM, Woe

log4j zero day exploit

Trying to mitigate the zero day log4j exploit without upgrading my solr instance per https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 I  made the following edits  :     (Linux/MacOS) Edit your |solr.in.sh| file to include: |SOLR_OPTS="$SOLR_OPTS -Dlog

log4j zero day exploit

Trying to mitigate the zero day log4j exploit without upgrading my solr instance per https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 I  made the following edits  :     (Linux/MacOS) Edit your |solr.in.sh| file to include: |SOLR_OPTS="$SOLR_OPTS -Dlog

log4j2 exploit

figured out how to echo the solr_opts in startup Scott

Re: log4j zero day exploit

On 12/11/21 2:05 PM, Scott Derrick wrote: Trying to mitigate the zero day log4j exploit without upgrading my solr instance per https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 I  made the following edits  :     (Linux/MacOS) Edit your |solr.in.sh| fil

Re: log4j zero day exploit

The startup options are shown on the home admin page, in alphabetical order. Very handy. wunder Walter Underwood wun...@wunderwood.org http://observer.wunderwood.org/ (my blog) > On Dec 11, 2021, at 1:09 PM, Scott Derrick wrote: > > Trying to mitigate the zero day log4j exploit without upgrad

Re: log4j zero day exploit

The vulnerability is quite nasty. If there is a user string logged in a log4j line, then you are vulnerable. I would suspect everyone would need to at least worry about it or risk becoming a bitcoin harvester. tim On Sat, Dec 11, 2021 at 2:19 PM Shawn Heisey wrote: > On 12/11/21 2:05 PM, Scot

Log4j vulnerability- Solr4 - urgent pls

Hi All, In production we are using solr4 which uses log4j-1.2.17.jar. Can someone say the mitigation option for solr4 Thanks Reej -- *Thanks,* *Reej*

Re: Log4j vulnerability- Solr4 - urgent pls

As pointed out by the author of log4j 1.x, the library is not susceptible to this attack the way log4j2 is. https://github.com/apache/logging-log4j2/pull/608#issuecomment-991380319 So you should be good. Rahul On Sat, Dec 11, 2021 at 9:51 PM Reej Nayagam wrote: > Hi All, > > In production we a

Re: Log4j vulnerability- Solr4 - urgent pls

- -Dlog4j2.formatMsgNoLookups=true restart jvm with the above param and should work.   On Saturday, December 11, 2021, 09:51:54 PM EST, Reej Nayagam wrote: Hi All, In production we are using solr4 which uses log4j-1.2.17.jar. Can someone say the mitigation option for so

Re: Log4j vulnerability- Solr4 - urgent pls

In case of solr4 which uses log4j-1.2.17.jar, the "log4j2.formatMsgNoLookups=true" system property is neither required nor applicable. In fact, the property was only introduced in log4j-2.10 (refer to the JIRA below). So not just Solr, but any Java application using 2<= log4j <2.10 will not be help

Re: Log4j vulnerability- Solr4 - urgent pls

Thank you for your reply. It mentions Dlog4j2 but with solr4 it is log4j1.2.17 Can we use this command - -*Dlog4j2*.formatMsgNoLookups=true On Sun, 12 Dec 2021 at 12:03 PM, Raveendra Yerraguntla wrote: > >- -Dlog4j2.formatMsgNoLookups=true > > > restart jvm with the above param and sho

Re: Log4j vulnerability- Solr4 - urgent pls

Solr 4 does NOT have the vulnerability. You do not have to do anything. From the Solr Security page: 2021-12-10, Apache Solr affected by Apache Log4J CVE-2021-44228 Severity: Critical Versions Affected: 7.4.0 to 7.7.3, 8.0.0 to 8.11.0 https://solr.apache.org/security.html

Re: Log4j vulnerability- Solr4 - urgent pls

Thank you for the reply. *Thanks,* *Reej* On Sun, Dec 12, 2021 at 12:38 PM Walter Underwood wrote: > Solr 4 does NOT have the vulnerability. You do not have to do anything. > > From the Solr Security page: > > 2021-12-10, Apache Solr affected by Apache Log4J CVE-2021-44228 > > Severity: Critic

Re: Log4j vulnerability- Solr4 - urgent pls

Thanks for the reply. *REgards,* *Reej* On Sun, Dec 12, 2021 at 12:28 PM Rahul Goswami wrote: > In case of solr4 which uses log4j-1.2.17.jar, the > "log4j2.formatMsgNoLookups=true" system property is neither required nor > applicable. In fact, the property was only introduced in log4j-2.10 (re