Security

Recent CVE reports

Below is a list of already announced CVE vulnerabilities. Note that CVEs prior to 2021-12-10 is not listed

2021-12-10, Locator and Supervisor affected by Apache Log4J CVE-2021-44228

Severity: Critical

Versions Affected: Locator 2.x and 3.x

Description: Locator releases prior to 3.3.1 were using a bundled Solr that were using a version of the Apache Log4J library vulnerable to RCE. For full impact and additional detail consult the Solr security page https://solr.apache.org/security.html .

Locator releases prior to 3.3.1 were using a bundled ZooKeeper that were using log4j 1.2.17 which may be vulnerable. See https://issues.apache.org/jira/browse/ZOOKEEPER-4423

Locator releases prior to 2.11.903 were using a bundled Solr that were using log4j 1.2.17 which may be vulnerable for installations using non-default logging configurations that include the JMS Appender, see https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126  for discussion.

Locator releases prior to 2.11.903 were using a bundled ZooKeeper that were using log4j 1.2.17 which may be vulnerable. See https://issues.apache.org/jira/browse/ZOOKEEPER-4423.

Mitigation: 

For Locator 3.x any of the following are enough to prevent this vulnerability for Locator servers:

• Upgrade to Locator 3.3.2 or greater (when available), which will include an updated version of Solr.

ZooKeeper mitigation to be announced if any is needed.

For Locator 2.x any of the following are enough to prevent this vulnerability for Locator servers:

• Upgrade to Locator 2.11 SR9 or greater (when available), which will include, set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true in solr.cmd.in by default.

• Edit your solr.in.cmd file to include: set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true and perform a restart of the Locator Index Service. solr.in.cmd is located in <Program Files>\ayfie\Locator\SOLR\bin\.

ZooKeeper mitigation to be announced of any is needed.