On 12/21/21 10:21 PM, d3-ito wrote:
I have a question about Log4J CVE-2021-44228.
The Log4j site says that "log4j2.formatMsgNoLookups=true" is an insufficient
mitigation measure.
https://logging.apache.org/log4j/2.x/security.html
On the other hand, the Solr site says that "log4j2.formatMsgNoLookups=true" is
a sufficient mitigation measure.
https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228
In Solr, is "log4j2.formatMsgNoLookups=true" a sufficient mitigation measure?
For the original log4j CVE that you have mentioned (CVE-2021-44228),
setting the system property at startup does completely mitigate that one
specific problem.
The Solr security page contains the following paragraph about the later
log4j CVEs:
---
Apache Solr releases are not vulnerable to the followup CVE-2021-45046
and CVE-2021-45105, because the MDC patterns used by Solr are for the
collection, shard, replica, core and node names, and a potential trace
id, which are all sanitized and injected into log files with "%X".
Passing system property log4j2.formatMsgNoLookups=true (as described
below) is suitable to mitigate.
---
Solr does not allow special characters in its identifiers, so it is not
possible to name cores, shards, replicas, or collections with a name
that would trigger the vulnerability. Solr never inserts end user input
into the Mapped Diagnostic Context (MDC). It is extremely unlikely that
anyone deploying Solr would have node names that would trigger it, and
if an attacker can change your node names, they already have access to
much more sensitive information than what's in your search engine.
Thanks,
Shawn
