[jira] [Commented] (SOLR-15846) High security vulnerability in Log4J - CVE-2021-44228 bundled with Solr

Fri, 10 Dec 2021 12:20:06 -0800 


    [ 
https://issues.apache.org/jira/browse/SOLR-15846?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457345#comment-17457345
 ] 

Michael Schumann commented on SOLR-15846:
-----------------------------------------

I see that on [https://solr.apache.org/security.html] the plan is to upgrade 
Log4J in 8.11.1. 

> High security vulnerability in Log4J - CVE-2021-44228 bundled with Solr
> -----------------------------------------------------------------------
>
>                 Key: SOLR-15846
>                 URL: https://issues.apache.org/jira/browse/SOLR-15846
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: 7.4, 8.0, 8.11
>            Reporter: Michael Schumann
>            Priority: Major
>
> h2. Description
> A flaw was found in the Java logging library Apache Log4j 2 in versions from 
> 2.0-beta9 and before and including 2.14.1. This could allow a remote attacker 
> to execute code on the server if the system logs an attacker-controlled 
> string value with the attacker's JNDI LDAP server lookup.
> h2. Statement
> This issue only affects log4j versions between 2.0 and 2.14.1. In order to 
> exploit this flaw you need:
>  * A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that 
> allows an attacker to send arbitrary data,
>  * A log statement in the endpoint that logs the attacker controlled data.
> Due to the existence of JMS Appender which can use JNDI in the log4j 1.x, it 
> is possible that log4j version 1.x is also affected by this vulnerability. 
> The impact is still under investigation.
> h2. Mitigation
> There are two possible mitigations for this flaw in versions from 2.10 to 
> 2.14.1:
> - Set the system property log4j2.formatMsgNoLookups to true, or
> - Remove the JndiLookup class from the classpath. For example: zip -q -d 
> log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`
>  
> Another mitigation is to upgrade to version 2.15
>  
> +*References:*+ 
> [https://www.lunasec.io/docs/blog/log4j-zero-day/] 
> [https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html] 
> [https://help.aliyun.com/noticelist/articleid/1060971232.html] - Original 
> Advisory



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to