Hi Vincenzo We have manually updated the log4j core and api files in solr and have uncomment the line ./bin/solr.in.sh:# SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true" These changes are enough to mitigate the log4j vulnerability?
Thanks and Regards Raghav Khandelwal -----Original Message----- From: Vincenzo D'Amore <[email protected]> Sent: 11 January 2022 21:48 To: [email protected] Subject: Re: Regarding Log4j Vulnerability in Solr-8.2.0 [External] BTW, if you want add the log4j2.formatMsgNoLookups=true system property Pay attention to how the solr "include files" are configured. You have to explicitly uncomment the lines: ./bin/solr.in.sh:# SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true" ./bin/solr.in.cmd:REM set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true On Tue, Jan 11, 2022 at 5:06 PM Vincenzo D'Amore <[email protected]> wrote: > Hi Thomas, > > Why the 8.11.0? > I read that the latest stable version is 8.11.1 > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsolr > .apache.org%2Fdocs%2F8_11_1%2Fchanges%2FChanges.html%23v8.11.1.bug_fix > es&data=04%7C01%7CRaghavsanjay.Khandelwal%40cognizant.com%7C9786b9 > 4116394b002b6c08d9d51dee64%7Cde08c40719b9427d9fe8edf254300ca7%7C0%7C0% > 7C637775146807832842%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQI > joiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=peRtndcdtMr > NfAfyi7H1gHxwRgniMFwkwxG2u%2Ba53pc%3D&reserved=0 > With the bug fix: Update Log4J to 2.16 (Mike Drob, janhoy) > > > > On Tue, Jan 11, 2022 at 4:40 PM Thomas Heldmann < > [email protected]> wrote: > >> Dear Raghav, >> >> Do I understand you correctly that you want to upgrade from Solr >> 8.2.0 to Solr 8.11.0, for example? >> >> First of all, you should have a look at the Solr Upgrade Notes ( >> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsol >> r.apache.org%2Fguide%2F8_11%2Fsolr-upgrade-notes.html&data=04%7C0 >> 1%7CRaghavsanjay.Khandelwal%40cognizant.com%7C9786b94116394b002b6c08d >> 9d51dee64%7Cde08c40719b9427d9fe8edf254300ca7%7C0%7C0%7C63777514680783 >> 2842%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJB >> TiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=yolj8m2fKERi6r9Vze5DXd8Wj >> R%2FuCCU8IbUMbPHV8Mw%3D&reserved=0) and run some tests on a local >> PC to find out whether your index schemes are still working with Solr >> 8.11.0. If your tests were successful, you can try to upgrade an >> existing Solr installation. The upgrade procedure is quite >> simple: >> >> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsol >> r.apache.org%2Fguide%2F8_11%2Fupgrading-a-solr-cluster.html&data= >> 04%7C01%7CRaghavsanjay.Khandelwal%40cognizant.com%7C9786b94116394b002 >> b6c08d9d51dee64%7Cde08c40719b9427d9fe8edf254300ca7%7C0%7C0%7C63777514 >> 6807832842%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMz >> IiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Ox%2B2R1o%2BfZcOzjc >> gYQo0C31z3eeYgu5S2hWs8QBYAUQ%3D&reserved=0 >> >> You install the new Solr version (e.g. 8.11.0) using the EXISTING >> service name (that is very important!) in the same way as you installed Solr >> 8.2.0. >> The new Solr version will be installed "besides" the old one, so >> there will be, for example, /opt/solr-8.2.0 and /opt/solr-8.11.0. The >> service name will be redirected to the new version. After the >> installation, you have to verify that the environment variables in >> solr.in.sh are still set correctly. If you are using SolrCloud, you >> probably have to set up a new ZooKeeper ensemble and adapt the ZK >> variables in solr.in.sh. Now the upgrade is completed and you can >> start the Solr service as you have done so far. The new version will >> be started and should be able to use the existing schemes and indexed data. >> >> I hope this helps you. Please do not hasitate to ask again if you >> have any further questions. >> >> Best regards, >> Thomas >> >> -- >> Thomas Heldmann >> Bayerische Staatsbibliothek >> Verbundzentrale des Bibliotheksverbunds Bayern Leopoldstraße 240 >> 80807 München >> >> Tel.: 089/28638-4153 >> E-Mail: [email protected] >> >> >> >> >>> <[email protected]> schrieb am 11.01.2022 um >> 15:48: >> > Hi Team >> > >> > For Solr side mitigation for log4j, we have manually updated the >> log4j‑c ore >> > and log4j‑api files to latest versions (2.17.1) and have done >> > (Linux/MacOS) Edit your solr.in.sh file to include: >> SOLR_OPTS="$SOLR_OPTS >> > ‑Dlog4j2.formatMsgNoLookups=true" >> > this mitigation step as well as mentioned in the solr security >> > update >> > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fs >> > olr.apache.org%2Fsecurity.html%23apache%25E2%2580%2591solr%25E2%258 >> > 0%2591affected%25E2%2580%2591by%25E2%2580%2591apache%25E2%2580%2591 >> > log4j%25E2%2580%2591cve%25E2%2580%25912021%25E2%2580%25914&data >> > =04%7C01%7CRaghavsanjay.Khandelwal%40cognizant.com%7C9786b94116394b >> > 002b6c08d9d51dee64%7Cde08c40719b9427d9fe8edf254300ca7%7C0%7C0%7C637 >> > 775146807832842%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjo >> > iV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Tc5stJMN0m >> > QNeUONBzKgieWniH1O2SmrnjrhNBDjHsQ%3D&reserved=0 >> >> > 4228 >> > The CompanySecurity Team have shared a vulnerability in solr's end. >> > Can >> you >> > please confirm that these mitigation steps are good to solve the >> > issue >> from >> > solr's end. >> > >> > The Solr application is installed as a service in our system, can >> > you >> please >> > share the steps needed to update solr to the latest version, >> > without >> losing >> > the data indexed in solr. >> > Thanks and Regards, >> > Raghav Khandelwal >> > >> > This e‑mail and any files transmitted with it are for the sole use >> > of >> the >> > intended recipient(s) and may contain confidential and privileged >> > information. If you are not the intended recipient(s), please reply >> > to >> the >> > sender and destroy all copies of the original message. Any >> > unauthorized review, use, disclosure, dissemination, forwarding, >> > printing or copying >> of >> > this email, and/or any action taken in reliance on the contents of >> > this >> e‑mail >> > is strictly prohibited and may be unlawful. Where permitted by >> applicable >> > law, this e‑mail and other e‑mail communications sent to and from >> Cognizant >> > e‑mail addresses may be monitored. >> >> > > -- > Vincenzo D'Amore > > -- Vincenzo D'Amore This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored.
