Versions Compared

Old Version 9

changes.mady.by.user Steinar Skjerven

Saved on

compared with

New Version 10

changes.mady.by.user Steinar Skjerven

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This article contains a list of known security vulnerability reports in Ayfie products.

How to report security vulnerabilities

You may file your request at https://ayfie-dev.atlassian.net/servicedesk.

Recent security vulnerabilities

Below is a list of already announced CVE security vulnerabilities. Note that CVEs security vulnerabilities prior to 2021-12-10 are not listed

...

CVE#

...

Date

...

Announcement

...

CVE-2021-44228

...

2021-12-10

...

https://ayfie-dev.atlassian.net/wiki/spaces/SAGA/pages/2889547777/Security#2021-12-10,-Locator-and-Supervisor-affected-by-Apache-Log4J-CVE-2021-44228

...

.

2021-12-10

Locator and Supervisor affected by Apache Log4J CVE-2021-44228

...

Severity: Critical

Versions Affected: Locator 2.x and 3.x

Description: Locator releases prior to 3.3.1 were using a bundled Solr that were using a version of the Apache Log4J library vulnerable to RCE. For full impact and additional detail consult the Solr security page https://solr.apache.org/security.html .

Locator releases prior to 3.3.1 were using a bundled ZooKeeper that were using log4j 1.2.17 which may be vulnerable. See https://issues.apache.org/jira/browse/ZOOKEEPER-4423

Locator releases prior to 2.11.903 were using a bundled Solr that were using log4j 1.2.17 which may be vulnerable for installations using non-default logging configurations that include the JMS Appender, see https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126  for discussion.

Locator releases prior to 2.11.903 were using a bundled ZooKeeper that were using log4j 1.2.17 which may be vulnerable. See https://issues.apache.org/jira/browse/ZOOKEEPER-4423.

Mitigation: 

For Locator 3.x any of the following are enough to prevent this vulnerability for Locator servers:

  • Upgrade to Locator 3.3.2 or greater (when available), which will include an updated version of Solr.

  • ZooKeeper mitigation to be announced if any is needed.

For Locator 2.x any of the following are enough to prevent this vulnerability for Locator servers:

...

Upgrade to Locator 2.11 SR9 or greater (when available), which will include, set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true in solr.cmd.in by default.

...

Edit your solr.in.cmd file located in <Locator installation directory>\SOLR\bin\ and add the following line to the end of that file: set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true. Stop the Locator Index Builder service. Restart the Locator Index Service. Start the Locator Index Builder service again.

...