Security

Recent CVE reports for Locator and Supervisor

Below is a list of already announced CVE vulnerabilities. Note that CVEs prior to 2021-12-10 is not listed

2021-12-10, Locator and Supervisor affected by Apache Log4J CVE-2021-44228

Severity: Critical

Versions Affected: Locator 2.x and 3.x

Description: Locator releases prior to 3.3.1 were using a bundled Solr that were using a version of the Apache Log4J library vulnerable to RCE. For full impact and additional detail consult the Solr security page https://solr.apache.org/security.html .

Locator releases prior to 3.3.1 were using a bundled ZooKeeper that were using log4j 1.2.17 which may be vulnerable. See https://issues.apache.org/jira/browse/ZOOKEEPER-4423

Locator releases prior to 2.11.903 were using a bundled Solr that were using log4j 1.2.17 which may be vulnerable for installations using non-default logging configurations that include the JMS Appender, see https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126  for discussion.

Locator releases prior to 2.11.903 were using a bundled ZooKeeper that were using log4j 1.2.17 which may be vulnerable. See https://issues.apache.org/jira/browse/ZOOKEEPER-4423.

Mitigation: 

For Locator 3.x any of the following are enough to prevent this vulnerability for Locator servers:

• Upgrade to Locator 3.3.2 or greater (when available), which will include an updated version of Solr.

• ZooKeeper mitigation to be announced.

For Locator 2.x any of the following are enough to prevent this vulnerability for Locator servers:

• Upgrade to Locator 2.11 SR9 or greater (when available), which will include, set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true in solr.cmd.in by default.

• Edit your solr.in.cmd file to include: set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true and perform a restart of the Locator Index Service. solr.in.cmd is located in <Program Files>\ayfie\Locator\SOLR\bin\.

• ZooKeeper mitigation to be announced.