Mike, I see that the "Versions Affected" statement has been updated, but further down it still states "Apache Solr releases prior to 7.0 (i.e. all Solr 5 and Solr 6 releases) use log4j 1.2.17".
7.0 should be updated to 7.4. - Andy - On Fri, Dec 10, 2021 at 5:10 PM Mike Drob <md...@mdrob.com> wrote: > Andy - you are correct, we will update the notice on the site. Thank you > for checking the details. > > On Fri, Dec 10, 2021 at 4:08 PM Andy C <andycs...@gmail.com> wrote: > > > The statement on the https://solr.apache.org/security.html page states > > that > > all 7.X and all 8.X versions are vulnerable, however looking at my 7.3.1 > > Solr instance I am still finding the 1.2.17 version of the log4j jar. > > > > I found https://issues.apache.org/jira/browse/SOLR-7887 which indicates > > that the migration to log4j2 occurred with the 7.4 release. > > > > So I would think that the 7.0 - 7.3.1 releases would be in the same > > situation as the pre 7.0 releases. > > > > Is this correct? > > > > - Andy - > > > > On Fri, Dec 10, 2021 at 4:32 PM Mike Drob <md...@mdrob.com> wrote: > > > > > If you are opting in to using a lookup capable appender then you are > > > vulnerable. I don’t have a POC for testing it, but generally you’d only > > be > > > affected if you’re using this functionality explicitly > > > > > > On Fri, Dec 10, 2021 at 3:21 PM mtn search <search...@gmail.com> > wrote: > > > > > > > Thanks for the information Mike! > > > > > > > > I noticed that on https://solr.apache.org/security.html it lists the > > > > following statement for Solr releases prior to 7: > > > > > > > > Apache Solr releases prior to 7.0 (i.e. all Solr 5 and Solr 6 > releases) > > > use > > > > log4j 1.2.17 which may be vulnerable for installations using > > non-default > > > > logging configurations. To determine if you are vulnerable please > > consult > > > > the Log4J security page. > > > > > > > > I am working with Solr 6.4.2. I referenced the Log4J security page ( > > > > https://logging.apache.org/log4j/2.x/security.html ) and did not > see a > > > > means to verify whether our 1.2 log4j configuration is vulnerable. > Any > > > > tips on doing this, or other helpful links? > > > > > > > > Thanks, > > > > Matt > > > > > > > > > > > > On Fri, Dec 10, 2021 at 1:22 PM Rahul Goswami <rahul196...@gmail.com > > > > > > wrote: > > > > > > > > > In addition to the mitigation strategies mentioned on the Solr > page, > > > the > > > > > below blog post indicates that you should be protected if you are > > using > > > > > Java 11.0.1 and up > > > > > > > > > > https://www.lunasec.io/docs/blog/log4j-zero-day/ > > > > > > > > > > On Fri, Dec 10, 2021 at 3:07 PM Mike Drob <md...@mdrob.com> wrote: > > > > > > > > > > > Solr is affected. Please see the statement at the > > > > > > https://solr.apache.org/security.html page > > > > > > > > > > > > On Fri, Dec 10, 2021 at 12:44 PM Walter Underwood < > > > > wun...@wunderwood.org > > > > > > > > > > > > wrote: > > > > > > > > > > > > > Does all Solr logging go through slf4j? If so, that should > > protect > > > > > > against > > > > > > > this vulnerability. > > > > > > > > > > > > > > If not, who has tested Solr with log4j 2.15.1? > > > > > > > > > > > > > > We are running 8.8.2. > > > > > > > > > > > > > > wunder > > > > > > > Walter Underwood > > > > > > > wun...@wunderwood.org > > > > > > > http://observer.wunderwood.org/ (my blog) > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
