Re: Solr and CVE-2021-44228

Fri, 10 Dec 2021 14:07:28 -0800 

Thanks again Mike!

Do you perhaps have an example of a lookup capable appender for log4j
v1.2?  I have only found lookups for 2.x
https://logging.apache.org/log4j/2.x/manual/lookups.html.

I am only using two types of appenders for v1.2:
     org.apache.log4j.ConsoleAppender
     org.apache.log4j.rolling.RollingFileAppender

Do you believe I am in the clear with these appenders?

Thanks,
Matt

On Fri, Dec 10, 2021 at 2:33 PM Mike Drob <md...@mdrob.com> wrote:

> If you are opting in to using a lookup capable appender then you are
> vulnerable. I don’t have a POC for testing it, but generally you’d only be
> affected if you’re using this functionality explicitly
>
> On Fri, Dec 10, 2021 at 3:21 PM mtn search <search...@gmail.com> wrote:
>
> > Thanks for the information Mike!
> >
> > I noticed that on https://solr.apache.org/security.html it lists the
> > following statement for Solr releases prior to 7:
> >
> > Apache Solr releases prior to 7.0 (i.e. all Solr 5 and Solr 6 releases)
> use
> > log4j 1.2.17 which may be vulnerable for installations using non-default
> > logging configurations. To determine if you are vulnerable please consult
> > the Log4J security page.
> >
> > I am working with Solr 6.4.2.  I referenced the Log4J security page (
> > https://logging.apache.org/log4j/2.x/security.html ) and did not see a
> > means to verify whether our 1.2 log4j configuration is vulnerable.  Any
> > tips on doing this, or other helpful links?
> >
> > Thanks,
> > Matt
> >
> >
> > On Fri, Dec 10, 2021 at 1:22 PM Rahul Goswami <rahul196...@gmail.com>
> > wrote:
> >
> > > In addition to the mitigation strategies mentioned on the Solr page,
> the
> > > below blog post indicates that you should be protected if you are using
> > > Java 11.0.1 and up
> > >
> > > https://www.lunasec.io/docs/blog/log4j-zero-day/
> > >
> > > On Fri, Dec 10, 2021 at 3:07 PM Mike Drob <md...@mdrob.com> wrote:
> > >
> > > > Solr is affected. Please see the statement at the
> > > > https://solr.apache.org/security.html page
> > > >
> > > > On Fri, Dec 10, 2021 at 12:44 PM Walter Underwood <
> > wun...@wunderwood.org
> > > >
> > > > wrote:
> > > >
> > > > > Does all Solr logging go through slf4j? If so, that should protect
> > > > against
> > > > > this vulnerability.
> > > > >
> > > > > If not, who has tested Solr with log4j 2.15.1?
> > > > >
> > > > > We are running 8.8.2.
> > > > >
> > > > > wunder
> > > > > Walter Underwood
> > > > > wun...@wunderwood.org
> > > > > http://observer.wunderwood.org/  (my blog)
> > > > >
> > > > >
> > > >
> > >
> >
>

Reply via email to