This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/solr-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 79bb93a Automatic Site Publish by Buildbot
79bb93a is described below
commit 79bb93a32a14e92dbe5adf39fe5370e5cd894c2f
Author: buildbot <[email protected]>
AuthorDate: Tue Dec 14 16:29:35 2021 +0000
Automatic Site Publish by Buildbot
---
output/feeds/all.atom.xml | 17 +++++------------
output/feeds/solr/security.atom.xml | 17 +++++------------
output/news.html | 17 +++++------------
output/security.html | 17 +++++------------
4 files changed, 20 insertions(+), 48 deletions(-)
diff --git a/output/feeds/all.atom.xml b/output/feeds/all.atom.xml
index 7a9fb08..04e2ed3 100644
--- a/output/feeds/all.atom.xml
+++ b/output/feeds/all.atom.xml
@@ -10,27 +10,20 @@ Critical</p>
7.4.0 to 7.7.3, 8.0.0 to 8.11.0</p>
<p><strong>Description:</strong>
Apache Solr releases prior to 8.11.1 were using a bundled version of the
Apache Log4J library vulnerable to RCE. For full impact and additional detail
consult the Log4J security page.</p>
-<p>Apache Solr releases prior to 7.4 (i.e. Solr 5, Solr 6, and Solr 7
through 7.3) use log4j 1.2.17 which may be vulnerable for installations using
non-default logging configurations that include the JMS Appender, see <a
href="https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126">https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126</a>
for discussion.</p>
-<p>The Prometheus Exporter Contrib is similarly separately
affected.</p>
+<p>Apache Solr releases prior to 7.4 (i.e. Solr 5, Solr 6, and Solr 7
through 7.3) use Log4J 1.2.17 which may be vulnerable for installations using
non-default logging configurations that include the JMS Appender, see <a
href="https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126">https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126</a>
for discussion.</p>
+<p>Solr's Prometheus Exporter uses Log4J as well but it does not log
user input or data, so we don't see a risk there.</p>
<p><strong>Mitigation:</strong>
Any of the following are enough to prevent this vulnerability for Solr
servers:</p>
<ul>
-<li>Upgrade to <code>Solr 8.11.1</code> or greater (when
available), which will include an updated version of the log4j2
dependency.</li>
-<li>Manually update the version of log4j2 on your runtime classpath and
restart your Solr application.</li>
+<li>Upgrade to <code>Solr 8.11.1</code> or greater (when
available), which will include an updated version of the Log4J
dependency.</li>
+<li>If you are using Solr's official docker image, no matter the
version, it has already been mitigated. You may need to re-pull the
image.</li>
+<li>Manually update the version of Log4J on your runtime classpath and
restart your Solr application.</li>
<li>(Linux/MacOS) Edit your <code>solr.in.sh</code> file to
include:
<code>SOLR_OPTS="$SOLR_OPTS
-Dlog4j2.formatMsgNoLookups=true"</code></li>
<li>(Windows) Edit your <code>solr.in.cmd</code> file to
include:
<code>set SOLR_OPTS=%SOLR_OPTS%
-Dlog4j2.formatMsgNoLookups=true</code></li>
<li>Follow any of the other mitgations listed at <a
href="https://logging.apache.org/log4j/2.x/security.html">https://logging.apache.org/log4j/2.x/security.html</a></li>
</ul>
-<p>The vulnerability in the Prometheus Exporter Contrib can be mitigated
by any of the following:</p>
-<ul>
-<li>Upgrade to <code>Solr 8.11.1</code> or greater (when
available), which will include an updated version of the log4j2
dependency.</li>
-<li>Manually update the version of log4j2 on your runtime classpath and
restart your Solr application.</li>
-<li>Edit your <code>solr-exporter</code> script to include:
- <code>JAVA_OPTS="$JAVA_OPTS
-Dlog4j2.formatMsgNoLookups=true"</code></li>
-<li>Follow any of the other mitgations listed at <a
href="https://logging.apache.org/log4j/2.x/security.html">https://logging.apache.org/log4j/2.x/security.html</a></li>
-</ul>
<p><strong>References:</strong>
<a
href="https://logging.apache.org/log4j/2.x/security.html">https://logging.apache.org/log4j/2.x/security.html</a></p></content><category
term="solr/security"></category></entry><entry><title>Apache Solr Operator™
v0.5.0 available</title><link
href="/apache-solr-operatortm-v050-available.html"
rel="alternate"></link><published>2021-11-16T00:00:00+00:00</published><updated>2021-11-16T00:00:00+00:00</updated><author><name>Solr
Developers</name></author><id>tag:None,2021- [...]
<p>The Apache Solr Operator is a safe and easy way of managing a Solr
ecosystem in Kubernetes.</p>
diff --git a/output/feeds/solr/security.atom.xml
b/output/feeds/solr/security.atom.xml
index 3324b2e..602e586 100644
--- a/output/feeds/solr/security.atom.xml
+++ b/output/feeds/solr/security.atom.xml
@@ -10,27 +10,20 @@ Critical</p>
7.4.0 to 7.7.3, 8.0.0 to 8.11.0</p>
<p><strong>Description:</strong>
Apache Solr releases prior to 8.11.1 were using a bundled version of the
Apache Log4J library vulnerable to RCE. For full impact and additional detail
consult the Log4J security page.</p>
-<p>Apache Solr releases prior to 7.4 (i.e. Solr 5, Solr 6, and Solr 7
through 7.3) use log4j 1.2.17 which may be vulnerable for installations using
non-default logging configurations that include the JMS Appender, see <a
href="https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126">https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126</a>
for discussion.</p>
-<p>The Prometheus Exporter Contrib is similarly separately
affected.</p>
+<p>Apache Solr releases prior to 7.4 (i.e. Solr 5, Solr 6, and Solr 7
through 7.3) use Log4J 1.2.17 which may be vulnerable for installations using
non-default logging configurations that include the JMS Appender, see <a
href="https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126">https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126</a>
for discussion.</p>
+<p>Solr's Prometheus Exporter uses Log4J as well but it does not log
user input or data, so we don't see a risk there.</p>
<p><strong>Mitigation:</strong>
Any of the following are enough to prevent this vulnerability for Solr
servers:</p>
<ul>
-<li>Upgrade to <code>Solr 8.11.1</code> or greater (when
available), which will include an updated version of the log4j2
dependency.</li>
-<li>Manually update the version of log4j2 on your runtime classpath and
restart your Solr application.</li>
+<li>Upgrade to <code>Solr 8.11.1</code> or greater (when
available), which will include an updated version of the Log4J
dependency.</li>
+<li>If you are using Solr's official docker image, no matter the
version, it has already been mitigated. You may need to re-pull the
image.</li>
+<li>Manually update the version of Log4J on your runtime classpath and
restart your Solr application.</li>
<li>(Linux/MacOS) Edit your <code>solr.in.sh</code> file to
include:
<code>SOLR_OPTS="$SOLR_OPTS
-Dlog4j2.formatMsgNoLookups=true"</code></li>
<li>(Windows) Edit your <code>solr.in.cmd</code> file to
include:
<code>set SOLR_OPTS=%SOLR_OPTS%
-Dlog4j2.formatMsgNoLookups=true</code></li>
<li>Follow any of the other mitgations listed at <a
href="https://logging.apache.org/log4j/2.x/security.html">https://logging.apache.org/log4j/2.x/security.html</a></li>
</ul>
-<p>The vulnerability in the Prometheus Exporter Contrib can be mitigated
by any of the following:</p>
-<ul>
-<li>Upgrade to <code>Solr 8.11.1</code> or greater (when
available), which will include an updated version of the log4j2
dependency.</li>
-<li>Manually update the version of log4j2 on your runtime classpath and
restart your Solr application.</li>
-<li>Edit your <code>solr-exporter</code> script to include:
- <code>JAVA_OPTS="$JAVA_OPTS
-Dlog4j2.formatMsgNoLookups=true"</code></li>
-<li>Follow any of the other mitgations listed at <a
href="https://logging.apache.org/log4j/2.x/security.html">https://logging.apache.org/log4j/2.x/security.html</a></li>
-</ul>
<p><strong>References:</strong>
<a
href="https://logging.apache.org/log4j/2.x/security.html">https://logging.apache.org/log4j/2.x/security.html</a></p></content><category
term="solr/security"></category></entry><entry><title>CVE-2021-27905: SSRF
vulnerability with the Replication handler</title><link
href="/cve-2021-27905-ssrf-vulnerability-with-the-replication-handler.html"
rel="alternate"></link><published>2021-04-12T00:00:00+00:00</published><updated>2021-04-12T00:00:00+00:00</updated><author><name
[...]
High</p>
diff --git a/output/news.html b/output/news.html
index 2a9f0d3..40a8d84 100644
--- a/output/news.html
+++ b/output/news.html
@@ -141,27 +141,20 @@ Critical</p>
7.4.0 to 7.7.3, 8.0.0 to 8.11.0</p>
<p><strong>Description:</strong>
Apache Solr releases prior to 8.11.1 were using a bundled version of the
Apache Log4J library vulnerable to RCE. For full impact and additional detail
consult the Log4J security page.</p>
-<p>Apache Solr releases prior to 7.4 (i.e. Solr 5, Solr 6, and Solr 7 through
7.3) use log4j 1.2.17 which may be vulnerable for installations using
non-default logging configurations that include the JMS Appender, see <a
href="https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126";>https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126</a>
for discussion.</p>
-<p>The Prometheus Exporter Contrib is similarly separately affected.</p>
+<p>Apache Solr releases prior to 7.4 (i.e. Solr 5, Solr 6, and Solr 7 through
7.3) use Log4J 1.2.17 which may be vulnerable for installations using
non-default logging configurations that include the JMS Appender, see <a
href="https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126";>https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126</a>
for discussion.</p>
+<p>Solr's Prometheus Exporter uses Log4J as well but it does not log user
input or data, so we don't see a risk there.</p>
<p><strong>Mitigation:</strong>
Any of the following are enough to prevent this vulnerability for Solr
servers:</p>
<ul>
-<li>Upgrade to <code>Solr 8.11.1</code> or greater (when available), which
will include an updated version of the log4j2 dependency.</li>
-<li>Manually update the version of log4j2 on your runtime classpath and
restart your Solr application.</li>
+<li>Upgrade to <code>Solr 8.11.1</code> or greater (when available), which
will include an updated version of the Log4J dependency.</li>
+<li>If you are using Solr's official docker image, no matter the version, it
has already been mitigated. You may need to re-pull the image.</li>
+<li>Manually update the version of Log4J on your runtime classpath and restart
your Solr application.</li>
<li>(Linux/MacOS) Edit your <code>solr.in.sh</code> file to include:
<code>SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"</code></li>
<li>(Windows) Edit your <code>solr.in.cmd</code> file to include:
<code>set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true</code></li>
<li>Follow any of the other mitgations listed at <a
href="https://logging.apache.org/log4j/2.x/security.html";>https://logging.apache.org/log4j/2.x/security.html</a></li>
</ul>
-<p>The vulnerability in the Prometheus Exporter Contrib can be mitigated by
any of the following:</p>
-<ul>
-<li>Upgrade to <code>Solr 8.11.1</code> or greater (when available), which
will include an updated version of the log4j2 dependency.</li>
-<li>Manually update the version of log4j2 on your runtime classpath and
restart your Solr application.</li>
-<li>Edit your <code>solr-exporter</code> script to include:
- <code>JAVA_OPTS="$JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true"</code></li>
-<li>Follow any of the other mitgations listed at <a
href="https://logging.apache.org/log4j/2.x/security.html";>https://logging.apache.org/log4j/2.x/security.html</a></li>
-</ul>
<p><strong>References:</strong>
<a
href="https://logging.apache.org/log4j/2.x/security.html";>https://logging.apache.org/log4j/2.x/security.html</a></p>
<h2 id="apache-solrtm-8110-available">16 November 2021, Apache Solr™ 8.11.0
available
diff --git a/output/security.html b/output/security.html
index 7ba1b7b..dfeecc8 100644
--- a/output/security.html
+++ b/output/security.html
@@ -225,27 +225,20 @@ Critical</p>
7.4.0 to 7.7.3, 8.0.0 to 8.11.0</p>
<p><strong>Description:</strong>
Apache Solr releases prior to 8.11.1 were using a bundled version of the
Apache Log4J library vulnerable to RCE. For full impact and additional detail
consult the Log4J security page.</p>
-<p>Apache Solr releases prior to 7.4 (i.e. Solr 5, Solr 6, and Solr 7 through
7.3) use log4j 1.2.17 which may be vulnerable for installations using
non-default logging configurations that include the JMS Appender, see <a
href="https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126";>https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126</a>
for discussion.</p>
-<p>The Prometheus Exporter Contrib is similarly separately affected.</p>
+<p>Apache Solr releases prior to 7.4 (i.e. Solr 5, Solr 6, and Solr 7 through
7.3) use Log4J 1.2.17 which may be vulnerable for installations using
non-default logging configurations that include the JMS Appender, see <a
href="https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126";>https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126</a>
for discussion.</p>
+<p>Solr's Prometheus Exporter uses Log4J as well but it does not log user
input or data, so we don't see a risk there.</p>
<p><strong>Mitigation:</strong>
Any of the following are enough to prevent this vulnerability for Solr
servers:</p>
<ul>
-<li>Upgrade to <code>Solr 8.11.1</code> or greater (when available), which
will include an updated version of the log4j2 dependency.</li>
-<li>Manually update the version of log4j2 on your runtime classpath and
restart your Solr application.</li>
+<li>Upgrade to <code>Solr 8.11.1</code> or greater (when available), which
will include an updated version of the Log4J dependency.</li>
+<li>If you are using Solr's official docker image, no matter the version, it
has already been mitigated. You may need to re-pull the image.</li>
+<li>Manually update the version of Log4J on your runtime classpath and restart
your Solr application.</li>
<li>(Linux/MacOS) Edit your <code>solr.in.sh</code> file to include:
<code>SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"</code></li>
<li>(Windows) Edit your <code>solr.in.cmd</code> file to include:
<code>set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true</code></li>
<li>Follow any of the other mitgations listed at <a
href="https://logging.apache.org/log4j/2.x/security.html";>https://logging.apache.org/log4j/2.x/security.html</a></li>
</ul>
-<p>The vulnerability in the Prometheus Exporter Contrib can be mitigated by
any of the following:</p>
-<ul>
-<li>Upgrade to <code>Solr 8.11.1</code> or greater (when available), which
will include an updated version of the log4j2 dependency.</li>
-<li>Manually update the version of log4j2 on your runtime classpath and
restart your Solr application.</li>
-<li>Edit your <code>solr-exporter</code> script to include:
- <code>JAVA_OPTS="$JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true"</code></li>
-<li>Follow any of the other mitgations listed at <a
href="https://logging.apache.org/log4j/2.x/security.html";>https://logging.apache.org/log4j/2.x/security.html</a></li>
-</ul>
<p><strong>References:</strong>
<a
href="https://logging.apache.org/log4j/2.x/security.html";>https://logging.apache.org/log4j/2.x/security.html</a></p>
<hr/>
