This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/solr-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 26bc603 Automatic Site Publish by Buildbot
26bc603 is described below
commit 26bc603ac887c95b03562b9badeee52d82cc953a
Author: buildbot <[email protected]>
AuthorDate: Fri Dec 10 18:07:36 2021 +0000
Automatic Site Publish by Buildbot
---
output/feeds/all.atom.xml | 15 ++++++++++++---
output/feeds/solr/security.atom.xml | 15 ++++++++++++---
output/news.html | 17 +++++++++++++----
output/security.html | 19 ++++++++++++++-----
4 files changed, 51 insertions(+), 15 deletions(-)
diff --git a/output/feeds/all.atom.xml b/output/feeds/all.atom.xml
index 57de757..759a4a1 100644
--- a/output/feeds/all.atom.xml
+++ b/output/feeds/all.atom.xml
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
-<feed xmlns="http://www.w3.org/2005/Atom";><title>Apache Solr</title><link
href="/" rel="alternate"></link><link href="/feeds/all.atom.xml"
rel="self"></link><id>/</id><updated>2021-12-12T00:00:00+00:00</updated><subtitle></subtitle><subtitle></subtitle><entry><title>Apache
Solr affected by Apache Log4J CVE-2021-44228: JNDI features do not protect
against attacker controlled LDAP and other JNDI related endpoints</title><link
href="/apache-solr-affected-by-apache-log4j-cve-2021-44228-jndi- [...]
+<feed xmlns="http://www.w3.org/2005/Atom";><title>Apache Solr</title><link
href="/" rel="alternate"></link><link href="/feeds/all.atom.xml"
rel="self"></link><id>/</id><updated>2021-12-12T00:00:00+00:00</updated><subtitle></subtitle><subtitle></subtitle><entry><title>Apache
Solr affected by Apache Log4J CVE-2021-44228</title><link
href="/apache-solr-affected-by-apache-log4j-cve-2021-44228.html"
rel="alternate"></link><published>2021-12-12T00:00:00+00:00</published><updated>2021-12-12T00:0
[...]
Critical</p>
<p><strong>Versions Affected:</strong>
7.0.0 to 7.7.3
@@ -13,10 +13,11 @@ Critical</p>
<p><strong>Description:</strong>
Apache Solr releases prior to 8.11.1 were using a bundled version of the
Apache Log4J library vulnerable to RCE. For full impact and additional detail
consult the Log4J security page.</p>
<p>Apache Solr releases prior to 7.0 (i.e. all Solr 5 and Solr 6
releases) use log4j 1.2.17 which may be vulnerable for installations using
non-default logging configurations. To determine you if you are vulnerable
please consult the Log4J security page.</p>
+<p>The Prometheus Exporter Contrib is similarly separately
affected.</p>
<p><strong>Mitigation:</strong>
-Any of the following are enough to prevent this vulnerability:</p>
+Any of the following are enough to prevent this vulnerability for Solr
servers:</p>
<ul>
-<li>Upgrade to <code>Solr 8.11.1</code> or greater (when
available), which will include an updated version of the log4j2
dependancy.</li>
+<li>Upgrade to <code>Solr 8.11.1</code> or greater (when
available), which will include an updated version of the log4j2
dependency.</li>
<li>Manually update the version of log4j2 on your runtime classpath and
restart your Solr application.</li>
<li>(Linux/MacOS) Edit your <code>solr.in.sh</code> file to
include:
<code>SOLR_OPTS="$SOLR_OPTS
-Dlog4j2.formatMsgNoLookups=true"</code></li>
@@ -24,6 +25,14 @@ Any of the following are enough to prevent this
vulnerability:</p>
<code>set SOLR_OPTS=%SOLR_OPTS%
-Dlog4j2.formatMsgNoLookups=true</code></li>
<li>Follow any of the other mitgations listed at <a
href="https://logging.apache.org/log4j/2.x/security.html">https://logging.apache.org/log4j/2.x/security.html</a></li>
</ul>
+<p>The vulnerability in the Prometheus Exporter Contrib can be mitigated
by any of the following:</p>
+<ul>
+<li>Upgrade to <code>Solr 8.11.1</code> or greater (when
available), which will include an updated version of the log4j2
dependency.</li>
+<li>Manually update the version of log4j2 on your runtime classpath and
restart your Solr application.</li>
+<li>Edit your <code>solr-exporter</code> script to include
+ <code>JAVA_OPTS="$JAVA_OPTS
-Dlog4j2.formatMsgNoLookups=true"</code></li>
+<li>Follow any of the other mitgations listed at
https://logging.apache.org/log4j/2.x/security.html</li>
+</ul>
<p><strong>References:</strong>
<a
href="https://logging.apache.org/log4j/2.x/security.html">https://logging.apache.org/log4j/2.x/security.html</a></p></content><category
term="solr/security"></category></entry><entry><title>Apache Solr Operator™
v0.5.0 available</title><link
href="/apache-solr-operatortm-v050-available.html"
rel="alternate"></link><published>2021-11-16T00:00:00+00:00</published><updated>2021-11-16T00:00:00+00:00</updated><author><name>Solr
Developers</name></author><id>tag:None,2021- [...]
<p>The Apache Solr Operator is a safe and easy way of managing a Solr
ecosystem in Kubernetes.</p>
diff --git a/output/feeds/solr/security.atom.xml
b/output/feeds/solr/security.atom.xml
index 61532ef..5460f85 100644
--- a/output/feeds/solr/security.atom.xml
+++ b/output/feeds/solr/security.atom.xml
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
-<feed xmlns="http://www.w3.org/2005/Atom";><title>Apache Solr -
solr/security</title><link href="/" rel="alternate"></link><link
href="/feeds/solr/security.atom.xml"
rel="self"></link><id>/</id><updated>2021-12-12T00:00:00+00:00</updated><subtitle></subtitle><subtitle></subtitle><entry><title>Apache
Solr affected by Apache Log4J CVE-2021-44228: JNDI features do not protect
against attacker controlled LDAP and other JNDI related endpoints</title><link
href="/apache-solr-affected-by-apache- [...]
+<feed xmlns="http://www.w3.org/2005/Atom";><title>Apache Solr -
solr/security</title><link href="/" rel="alternate"></link><link
href="/feeds/solr/security.atom.xml"
rel="self"></link><id>/</id><updated>2021-12-12T00:00:00+00:00</updated><subtitle></subtitle><subtitle></subtitle><entry><title>Apache
Solr affected by Apache Log4J CVE-2021-44228</title><link
href="/apache-solr-affected-by-apache-log4j-cve-2021-44228.html"
rel="alternate"></link><published>2021-12-12T00:00:00+00:00</publishe [...]
Critical</p>
<p><strong>Versions Affected:</strong>
7.0.0 to 7.7.3
@@ -13,10 +13,11 @@ Critical</p>
<p><strong>Description:</strong>
Apache Solr releases prior to 8.11.1 were using a bundled version of the
Apache Log4J library vulnerable to RCE. For full impact and additional detail
consult the Log4J security page.</p>
<p>Apache Solr releases prior to 7.0 (i.e. all Solr 5 and Solr 6
releases) use log4j 1.2.17 which may be vulnerable for installations using
non-default logging configurations. To determine you if you are vulnerable
please consult the Log4J security page.</p>
+<p>The Prometheus Exporter Contrib is similarly separately
affected.</p>
<p><strong>Mitigation:</strong>
-Any of the following are enough to prevent this vulnerability:</p>
+Any of the following are enough to prevent this vulnerability for Solr
servers:</p>
<ul>
-<li>Upgrade to <code>Solr 8.11.1</code> or greater (when
available), which will include an updated version of the log4j2
dependancy.</li>
+<li>Upgrade to <code>Solr 8.11.1</code> or greater (when
available), which will include an updated version of the log4j2
dependency.</li>
<li>Manually update the version of log4j2 on your runtime classpath and
restart your Solr application.</li>
<li>(Linux/MacOS) Edit your <code>solr.in.sh</code> file to
include:
<code>SOLR_OPTS="$SOLR_OPTS
-Dlog4j2.formatMsgNoLookups=true"</code></li>
@@ -24,6 +25,14 @@ Any of the following are enough to prevent this
vulnerability:</p>
<code>set SOLR_OPTS=%SOLR_OPTS%
-Dlog4j2.formatMsgNoLookups=true</code></li>
<li>Follow any of the other mitgations listed at <a
href="https://logging.apache.org/log4j/2.x/security.html">https://logging.apache.org/log4j/2.x/security.html</a></li>
</ul>
+<p>The vulnerability in the Prometheus Exporter Contrib can be mitigated
by any of the following:</p>
+<ul>
+<li>Upgrade to <code>Solr 8.11.1</code> or greater (when
available), which will include an updated version of the log4j2
dependency.</li>
+<li>Manually update the version of log4j2 on your runtime classpath and
restart your Solr application.</li>
+<li>Edit your <code>solr-exporter</code> script to include
+ <code>JAVA_OPTS="$JAVA_OPTS
-Dlog4j2.formatMsgNoLookups=true"</code></li>
+<li>Follow any of the other mitgations listed at
https://logging.apache.org/log4j/2.x/security.html</li>
+</ul>
<p><strong>References:</strong>
<a
href="https://logging.apache.org/log4j/2.x/security.html">https://logging.apache.org/log4j/2.x/security.html</a></p></content><category
term="solr/security"></category></entry><entry><title>CVE-2021-27905: SSRF
vulnerability with the Replication handler</title><link
href="/cve-2021-27905-ssrf-vulnerability-with-the-replication-handler.html"
rel="alternate"></link><published>2021-04-12T00:00:00+00:00</published><updated>2021-04-12T00:00:00+00:00</updated><author><name
[...]
High</p>
diff --git a/output/news.html b/output/news.html
index 8c5cf6c..46ec753 100644
--- a/output/news.html
+++ b/output/news.html
@@ -132,8 +132,8 @@
<h1 id="solr-news">Solr<sup>™</sup> News<a class="headerlink"
href="#solr-news" title="Permanent link">¶</a></h1>
<p>You may also read these news as an <a
href="/feeds/solr/news.atom.xml">ATOM feed</a>.</p>
- <h2
id="apache-solr-affected-by-apache-log4j-cve-2021-44228-jndi-features-do-not-protect-against-attacker-controlled-ldap-and-other-jndi-related-endpoints">12
December 2021, Apache Solr affected by Apache Log4J CVE-2021-44228: JNDI
features do not protect against attacker controlled LDAP and other JNDI related
endpoints
- <a class="headerlink"
href="#apache-solr-affected-by-apache-log4j-cve-2021-44228-jndi-features-do-not-protect-against-attacker-controlled-ldap-and-other-jndi-related-endpoints"
title="Permanent link">¶</a>
+ <h2 id="apache-solr-affected-by-apache-log4j-cve-2021-44228">12 December
2021, Apache Solr affected by Apache Log4J CVE-2021-44228
+ <a class="headerlink"
href="#apache-solr-affected-by-apache-log4j-cve-2021-44228" title="Permanent
link">¶</a>
</h2>
<p><strong>Severity:</strong>
Critical</p>
@@ -143,10 +143,11 @@ Critical</p>
<p><strong>Description:</strong>
Apache Solr releases prior to 8.11.1 were using a bundled version of the
Apache Log4J library vulnerable to RCE. For full impact and additional detail
consult the Log4J security page.</p>
<p>Apache Solr releases prior to 7.0 (i.e. all Solr 5 and Solr 6 releases) use
log4j 1.2.17 which may be vulnerable for installations using non-default
logging configurations. To determine you if you are vulnerable please consult
the Log4J security page.</p>
+<p>The Prometheus Exporter Contrib is similarly separately affected.</p>
<p><strong>Mitigation:</strong>
-Any of the following are enough to prevent this vulnerability:</p>
+Any of the following are enough to prevent this vulnerability for Solr
servers:</p>
<ul>
-<li>Upgrade to <code>Solr 8.11.1</code> or greater (when available), which
will include an updated version of the log4j2 dependancy.</li>
+<li>Upgrade to <code>Solr 8.11.1</code> or greater (when available), which
will include an updated version of the log4j2 dependency.</li>
<li>Manually update the version of log4j2 on your runtime classpath and
restart your Solr application.</li>
<li>(Linux/MacOS) Edit your <code>solr.in.sh</code> file to include:
<code>SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"</code></li>
@@ -154,6 +155,14 @@ Any of the following are enough to prevent this
vulnerability:</p>
<code>set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true</code></li>
<li>Follow any of the other mitgations listed at <a
href="https://logging.apache.org/log4j/2.x/security.html";>https://logging.apache.org/log4j/2.x/security.html</a></li>
</ul>
+<p>The vulnerability in the Prometheus Exporter Contrib can be mitigated by
any of the following:</p>
+<ul>
+<li>Upgrade to <code>Solr 8.11.1</code> or greater (when available), which
will include an updated version of the log4j2 dependency.</li>
+<li>Manually update the version of log4j2 on your runtime classpath and
restart your Solr application.</li>
+<li>Edit your <code>solr-exporter</code> script to include
+ <code>JAVA_OPTS="$JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true"</code></li>
+<li>Follow any of the other mitgations listed at
https://logging.apache.org/log4j/2.x/security.html</li>
+</ul>
<p><strong>References:</strong>
<a
href="https://logging.apache.org/log4j/2.x/security.html";>https://logging.apache.org/log4j/2.x/security.html</a></p>
<h2 id="apache-solrtm-8110-available">16 November 2021, Apache Solr™ 8.11.0
available
diff --git a/output/security.html b/output/security.html
index d13d081..b60027b 100644
--- a/output/security.html
+++ b/output/security.html
@@ -142,7 +142,7 @@ Then please disclose responsibly by following <a
href="https://www.apache.org/se
<tr>
<td><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-44228";>CVE-2021-44228</a></td>
<td>2021-12-12</td>
- <td><a
href="#apache-solr-affected-by-apache-log4j-cve-2021-44228-jndi-features-do-not-protect-against-attacker-controlled-ldap-and-other-jndi-related-endpoints">Apache
Solr affected by Apache Log4J CVE-2021-44228: JNDI features do not protect
against attacker controlled LDAP and other JNDI related endpoints</a></td>
+ <td><a
href="#apache-solr-affected-by-apache-log4j-cve-2021-44228">Apache Solr
affected by Apache Log4J CVE-2021-44228</a></td>
</tr>
<tr>
<td><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-27905";>CVE-2021-27905</a></td>
@@ -216,8 +216,8 @@ Then please disclose responsibly by following <a
href="https://www.apache.org/se
</tr>
</table>
- <h2
id="apache-solr-affected-by-apache-log4j-cve-2021-44228-jndi-features-do-not-protect-against-attacker-controlled-ldap-and-other-jndi-related-endpoints">2021-12-12,
Apache Solr affected by Apache Log4J CVE-2021-44228: JNDI features do not
protect against attacker controlled LDAP and other JNDI related endpoints
- <a class="headerlink"
href="#apache-solr-affected-by-apache-log4j-cve-2021-44228-jndi-features-do-not-protect-against-attacker-controlled-ldap-and-other-jndi-related-endpoints"
title="Permanent link">¶</a>
+ <h2 id="apache-solr-affected-by-apache-log4j-cve-2021-44228">2021-12-12,
Apache Solr affected by Apache Log4J CVE-2021-44228
+ <a class="headerlink"
href="#apache-solr-affected-by-apache-log4j-cve-2021-44228" title="Permanent
link">¶</a>
</h2>
<p><strong>Severity:</strong>
Critical</p>
@@ -227,10 +227,11 @@ Critical</p>
<p><strong>Description:</strong>
Apache Solr releases prior to 8.11.1 were using a bundled version of the
Apache Log4J library vulnerable to RCE. For full impact and additional detail
consult the Log4J security page.</p>
<p>Apache Solr releases prior to 7.0 (i.e. all Solr 5 and Solr 6 releases) use
log4j 1.2.17 which may be vulnerable for installations using non-default
logging configurations. To determine you if you are vulnerable please consult
the Log4J security page.</p>
+<p>The Prometheus Exporter Contrib is similarly separately affected.</p>
<p><strong>Mitigation:</strong>
-Any of the following are enough to prevent this vulnerability:</p>
+Any of the following are enough to prevent this vulnerability for Solr
servers:</p>
<ul>
-<li>Upgrade to <code>Solr 8.11.1</code> or greater (when available), which
will include an updated version of the log4j2 dependancy.</li>
+<li>Upgrade to <code>Solr 8.11.1</code> or greater (when available), which
will include an updated version of the log4j2 dependency.</li>
<li>Manually update the version of log4j2 on your runtime classpath and
restart your Solr application.</li>
<li>(Linux/MacOS) Edit your <code>solr.in.sh</code> file to include:
<code>SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"</code></li>
@@ -238,6 +239,14 @@ Any of the following are enough to prevent this
vulnerability:</p>
<code>set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true</code></li>
<li>Follow any of the other mitgations listed at <a
href="https://logging.apache.org/log4j/2.x/security.html";>https://logging.apache.org/log4j/2.x/security.html</a></li>
</ul>
+<p>The vulnerability in the Prometheus Exporter Contrib can be mitigated by
any of the following:</p>
+<ul>
+<li>Upgrade to <code>Solr 8.11.1</code> or greater (when available), which
will include an updated version of the log4j2 dependency.</li>
+<li>Manually update the version of log4j2 on your runtime classpath and
restart your Solr application.</li>
+<li>Edit your <code>solr-exporter</code> script to include
+ <code>JAVA_OPTS="$JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true"</code></li>
+<li>Follow any of the other mitgations listed at
https://logging.apache.org/log4j/2.x/security.html</li>
+</ul>
<p><strong>References:</strong>
<a
href="https://logging.apache.org/log4j/2.x/security.html";>https://logging.apache.org/log4j/2.x/security.html</a></p>
<hr/>
