On 1/14/2022 3:25 AM, Anda Moldovan wrote:
We are currently using Solr version 8.9.0 integrated in our product, but with
the latest log4j security issues we are looking for a suitable version to
upgrade.
The current requirement is that it uses a log4j version >= 2.17.1.
According to this community post
https://issues.apache.org/jira/browse/SOLR-15871?jql=project%20%3D%20SOLR%20AND%20text%20~%202.17.1
the version we are looking for is 8.11.2, but we could not find the date or
this release,
so could you please provide an ETA for the 8.11.2 release, so we can plan the
upgrade accordingly?
Just FYI, that is not a "community post" ... it is an issue in the
Apache Jira bug tracker. The issue was resolved with 8.11.2 as the
fixed version, so the source code has been updated, but that does not
mean the change will actually be released.
It is not very likely that 8.11.2 will ever be released. The project is
in the beginning stages of preparing 9.0.0 for release. That version
will incorporate the latest log4j2.
Solr is not vulnerable to the most recently issued log4j CVEs. The
slightly older vulnerability is mitigated by either upgrading to Solr
8.11.1 or adding the log4j2.formatMsgNoLookups=true property to the Solr
startup. Or by manually replacing the jar files.
https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228
If you absolutely must have your Solr install pass a vulnerability scan
that just looks at jar versions and doesn't know about steps a user can
take to mitigate the probolems, you can replace all the occurrences of
the log4j2 jars in your Solr install directory with updated versions.
We have verified that Solr 7.4.0 and later **IS** compatible with
updated log4j2 jars.
Thanks,
Shawn
