HoustonPutman commented on a change in pull request #45:
URL: https://github.com/apache/solr-site/pull/45#discussion_r766790950
##########
File path: content/solr/security/2021-12-12-cve-2021-44228.md
##########
@@ -0,0 +1,27 @@
+Title: Apache Solr affected by Apache Log4J CVE-2021-44228: JNDI features do
not protect against attacker controlled LDAP and other JNDI related endpoints
+category: solr/security
+cve: CVE-2021-44228
+
+**Severity:**
+Critical
+
+**Versions Affected:**
+7.0.0 to 7.7.3
+8.0.0 to 8.11.0
+
+**Description:**
+Apache Solr releases prior to 8.11.1 were using a bundled version of the
Apache Log4J library vulnerable to RCE. For full impact and additional detail
consult the Log4J security page.
+
+Apache Solr releases prior to 7.0 (i.e. all Solr 5 and Solr 6 releases) use
log4j 1.2.17 which may be vulnerable for installations using non-default
logging configurations. To determine you if you are vulnerable please consult
the Log4J security page.
+
+**Mitigation:**
+Any of the following are enough to prevent this vulnerability:
+
+* Upgrade to `Solr 8.11.1` or greater, which will include an updated version
of the log4j2 dependancy.
Review comment:
I would note that this is an unreleased version as of now.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
