Recent CVE reports
Below is a list of already announced CVE vulnerabilities. Note that CVEs prior to 2021-12-10 is not listed
CVE# | Date | Announcement |
---|---|---|
2021-12-10 | ||
2021-12-10, Locator and Supervisor affected by Apache Log4J CVE-2021-44228
Severity: Critical
Versions Affected: Locator 2.x and 3.x
Description: Locator releases prior to 3.3.1 were using a bundled Solr that were using a version of the Apache Log4J library vulnerable to RCE. For full impact and additional detail consult the Solr security page https://solr.apache.org/security.html .
Locator releases prior to 3.3.1 were using a bundled ZooKeeper that were using log4j 1.2.17 which may be vulnerable. See https://issues.apache.org/jira/browse/ZOOKEEPER-4423
Locator releases prior to 2.11.903 were using a bundled Solr that were using log4j 1.2.17 which may be vulnerable for installations using non-default logging configurations that include the JMS Appender, see https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 for discussion.
Locator releases prior to 2.11.903 were using a bundled ZooKeeper that were using log4j 1.2.17 which may be vulnerable. See https://issues.apache.org/jira/browse/ZOOKEEPER-4423.
Mitigation:
For Locator 3.x any of the following are enough to prevent this vulnerability for Locator servers:
Upgrade to
Locator 3.3.2
or greater (when available), which will include an updated version of Solr.ZooKeeper mitigation to be announced if any is needed.
For Locator 2.x any of the following are enough to prevent this vulnerability for Locator servers:
Upgrade to
Locator 2.11 SR9
or greater (when available), which will include,set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true
in solr.cmd.in by default.Edit your
solr.in.cmd
file to include:set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true
and perform a restart of the Locator Index Service.solr.in.cmd
is located in<Program Files>\ayfie\Locator\SOLR\bin\
.ZooKeeper mitigation to be announced if any is needed.