Apache Solr's Docker images were updated some hours ago with a simple remediation to avoid the Log4j 2 vulnerability[1] that many of you are becoming aware of -- Log4j 2 CVE-2021-44228. Just a "docker pull solr:tagVersionYouUse" (e.g. 8.11 or whatever) will update it for you. The remediation in these updated images was simply setting a Java system property to disable this misfeature of Log4j 2. If you have your own custom Docker image, you can easily do likewise, e.g. by customizing the command to run the image to have an additional argument[2] (a common remediation for other affected images). To have confidence that this was done correctly, log into your Solr admin screen and see the "Args" section and look for "-Dlog4j2.formatMsgNoLookups=true".
This is sufficient, but understand that vulnerability scanners will continue to report that Solr's images are vulnerable because they can't realistically know if Solr's configuration (e.g. via this system property) defeats the problem. It's possible the Solr project may retroactively update these images in the future for this reason. [1] https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 [2] https://www.docker.com/blog/apache-log4j-2-cve-2021-44228/ ~ David Smiley Apache Lucene/Solr Search Developer http://www.linkedin.com/in/davidwsmiley
