On 3/29/2022 6:27 AM, [email protected] wrote:
I am using Solr 7.2.1 and our system detected it to be vulnerable. Here are the
details.
Source: The Exploit-DB
Reference:CVE-2021-44228
Description:Apache Log4j2 2.14.1 - Information Disclosure - The Exploit-DB Ref
: 50590
Link:http://www.exploit-db.com/exploits/50590
Reference:CVE-2021-44228
Description:Apache Log4j 2 - Remote Code Execution (RCE) - The Exploit-DB Ref :
50592
Link:http://www.exploit-db.com/exploits/50592
Solr 7.2.1 does NOT come with log4j2. It includes log4j 1.2.17. You'll
find vulnerabilities on that too.
https://logging.apache.org/log4j/1.2/index.html
Upgrading log4j in 7.2.1 is probably not an easy task. It would be much
easier to upgrade to at least Solr 7.4.0, which was the first version of
Solr to use log4j2. Then you could simply replace the log4j2 jars in
the Solr download with the newer version from log4j.
Thanks,
Shawn
