Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

Recent CVE reports

Below is a list of already announced CVE vulnerabilities. Note that CVEs prior to 2021-12-10 are not listed

2021-12-10, Locator and Supervisor affected by Apache Log4J CVE-2021-44228

Severity: Critical

Versions Affected: Locator 2.x and 3.x

Description: Locator releases prior to 3.3.1 were using a bundled Solr that were using a version of the Apache Log4J library vulnerable to RCE. For full impact and additional detail consult the Solr security page https://solr.apache.org/security.html .

Locator releases prior to 3.3.1 were using a bundled ZooKeeper that were using log4j 1.2.17 which may be vulnerable. See https://issues.apache.org/jira/browse/ZOOKEEPER-4423

Locator releases prior to 2.11.903 were using a bundled Solr that were using log4j 1.2.17 which may be vulnerable for installations using non-default logging configurations that include the JMS Appender, see https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126  for discussion.

Locator releases prior to 2.11.903 were using a bundled ZooKeeper that were using log4j 1.2.17 which may be vulnerable. See https://issues.apache.org/jira/browse/ZOOKEEPER-4423.

Mitigation: 

For Locator 3.x any of the following are enough to prevent this vulnerability for Locator servers:

  • Upgrade to Locator 3.3.2 or greater (when available), which will include an updated version of Solr.

  • ZooKeeper mitigation to be announced if any is needed.

For Locator 2.x any of the following are enough to prevent this vulnerability for Locator servers:

  • Upgrade to Locator 2.11 SR9 or greater (when available), which will include, set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true in solr.cmd.in by default.

  • Edit your solr.in.cmd file located in <Locator installation directory>\SOLR\bin\ and add the following line to the end of that file: set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true. Stop the Locator Index Builder service. Restart the Locator Index Service. Start the Locator Index Builder service again.

  • ZooKeeper mitigation to be announced if any is needed.

  • No labels