2021-12-10, Apache Solr affected by Apache Log4J CVE-2021-44228
As detailed below in light of the recent log4j announcement an evaluation has been conducted by TQS to detail any affected software provided by TQS. As part of the Livepoint X platform, Apache Solr is utilized to provide indexing and as such Apache Solr itself has a dependency on Log4j. It is advised by Apache that only public facing instances of this software are most at risk and as such Apache Solr deployments as part of the Livepoint X stack are not under immediate threat.
The recommended actions to mitigate this threat if the customer so deems necessary is to disable the option which allows this execution as detailed below. An upcoming release of Livepoint X platform will mitigate this risk by upgrading the version of Apache Solr deployed.
Versions Affected: All 1.3 and 1.4 versions
Versions Affected: 7.4.0 to 7.7.3, 8.0.0 to 8.11.0
Description: Apache Solr releases prior to 8.11.1 use a bundled version of the Apache Log4J library vulnerable to RCE. For full impact and additional detail consult the Log4J security page.
Apache Solr releases prior to 7.4 (i.e. Solr 5, Solr 6, and Solr 7 through 7.3) use log4j 1.2.17 which may be vulnerable for installations using non-default logging configurations that include the JMS Appender (see https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 for further details).
The Prometheus Exporter Contrib is similarly separately affected.
Any of the following are enough to prevent this vulnerability for Solr servers:
- (Windows) Edit your
solr.in.cmdfile to include:
set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true