On 1/11/2022 7:28 AM, [email protected] wrote:
For Solr side mitigation for log4j, we have manually updated the log4j-c ore and log4j-api files to latest versions (2.17.1) and have done (Linux/MacOS) Edit your solr.in.sh file to include: SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true" this mitigation step as well as mentioned in the solr security update https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 The CompanySecurity Team have shared a vulnerability in solr's end. Can you please confirm that these mitigation steps are good to solve the issue from solr's end.
If you upgraded the jars, there is no need to add the system property to the startup options. Adding the property will not cause problems, but it is unnecessary with the newer log4j version.
The Solr application is installed as a service in our system, can you please share the steps needed to update solr to the latest version, without losing the data indexed in solr.
Exactly how to upgrade Solr will depend on what OS it's on and how you installed the service. If you're on a non-windows system and used the install_solr_service.sh script, you can do the same thing again, except add the "-f" option when calling the script. That option means "force" ... so it will go ahead with the install even if it detects that the service is already installed.
Thanks, Shawn
