BTW, if you want add the log4j2.formatMsgNoLookups=true system property Pay attention to how the solr "include files" are configured. You have to explicitly uncomment the lines:
./bin/solr.in.sh:# SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true" ./bin/solr.in.cmd:REM set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true On Tue, Jan 11, 2022 at 5:06 PM Vincenzo D'Amore <[email protected]> wrote: > Hi Thomas, > > Why the 8.11.0? > I read that the latest stable version is 8.11.1 > https://solr.apache.org/docs/8_11_1/changes/Changes.html#v8.11.1.bug_fixes > With the bug fix: Update Log4J to 2.16 (Mike Drob, janhoy) > > > > On Tue, Jan 11, 2022 at 4:40 PM Thomas Heldmann < > [email protected]> wrote: > >> Dear Raghav, >> >> Do I understand you correctly that you want to upgrade from Solr 8.2.0 to >> Solr 8.11.0, for example? >> >> First of all, you should have a look at the Solr Upgrade Notes ( >> https://solr.apache.org/guide/8_11/solr-upgrade-notes.html) and run some >> tests on a local PC to find out whether your index schemes are still >> working with Solr 8.11.0. If your tests were successful, you can try to >> upgrade an existing Solr installation. The upgrade procedure is quite >> simple: >> >> https://solr.apache.org/guide/8_11/upgrading-a-solr-cluster.html >> >> You install the new Solr version (e.g. 8.11.0) using the EXISTING service >> name (that is very important!) in the same way as you installed Solr 8.2.0. >> The new Solr version will be installed "besides" the old one, so there will >> be, for example, /opt/solr-8.2.0 and /opt/solr-8.11.0. The service name >> will be redirected to the new version. After the installation, you have to >> verify that the environment variables in solr.in.sh are still set >> correctly. If you are using SolrCloud, you probably have to set up a new >> ZooKeeper ensemble and adapt the ZK variables in solr.in.sh. Now the >> upgrade is completed and you can start the Solr service as you have done so >> far. The new version will be started and should be able to use the existing >> schemes and indexed data. >> >> I hope this helps you. Please do not hasitate to ask again if you have >> any further questions. >> >> Best regards, >> Thomas >> >> -- >> Thomas Heldmann >> Bayerische Staatsbibliothek >> Verbundzentrale des Bibliotheksverbunds Bayern >> Leopoldstraße 240 >> 80807 München >> >> Tel.: 089/28638-4153 >> E-Mail: [email protected] >> >> >> >> >>> <[email protected]> schrieb am 11.01.2022 um >> 15:48: >> > Hi Team >> > >> > For Solr side mitigation for log4j, we have manually updated the >> log4j‑c ore >> > and log4j‑api files to latest versions (2.17.1) and have done >> > (Linux/MacOS) Edit your solr.in.sh file to include: >> SOLR_OPTS="$SOLR_OPTS >> > ‑Dlog4j2.formatMsgNoLookups=true" >> > this mitigation step as well as mentioned in the solr security update >> > https://solr.apache.org/security.html#apache‑solr‑affected‑by‑apache‑log4j‑cve‑2021‑4 >> >> > 4228 >> > The CompanySecurity Team have shared a vulnerability in solr's end. Can >> you >> > please confirm that these mitigation steps are good to solve the issue >> from >> > solr's end. >> > >> > The Solr application is installed as a service in our system, can you >> please >> > share the steps needed to update solr to the latest version, without >> losing >> > the data indexed in solr. >> > Thanks and Regards, >> > Raghav Khandelwal >> > >> > This e‑mail and any files transmitted with it are for the sole use of >> the >> > intended recipient(s) and may contain confidential and privileged >> > information. If you are not the intended recipient(s), please reply to >> the >> > sender and destroy all copies of the original message. Any unauthorized >> > review, use, disclosure, dissemination, forwarding, printing or copying >> of >> > this email, and/or any action taken in reliance on the contents of this >> e‑mail >> > is strictly prohibited and may be unlawful. Where permitted by >> applicable >> > law, this e‑mail and other e‑mail communications sent to and from >> Cognizant >> > e‑mail addresses may be monitored. >> >> > > -- > Vincenzo D'Amore > > -- Vincenzo D'Amore
