Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update to Docker 7.7.3 in release 9.0.3 is ineffective for CVE-2021-44228 and CVE-2021-45046 #3129

Closed
gmoniker opened this issue Dec 15, 2021 · 3 comments

Comments

@gmoniker
Copy link

The Docker 7.7.3 container from official registry, pulled this evening and referenced in the Dockerfile in release 9.0.3 contains log4j versions 2.11.0 and no mitigations in bin/solr.in.sh.

Anyone building and running a new container from release 9.0.3 will have a log4shell vulnerable container.

Steps to reproduce the behavior:
Build and run with the Dockerfile from release 9.0.3

Expected behavior
A container that is not vulnerable for log4shell

@dkd-kaehm
Copy link
Collaborator

dkd-kaehm commented Dec 16, 2021

@gmoniker
See https://github.com/docker-solr/docker-solr and especially docker-solr/docker-solr@d9aceb6
The fixes for "CVE-2021-44228" are in /opt/docker-solr/scripts/solr-fg and Apache Solr is not vulnerable against "CVE-2021-45046" see apache/solr#454 (comment) and https://solr.apache.org/security.html

@gmoniker
Copy link
Author

Ok, so maybe I should have framed it like a question, is it vulnerable?

But while I accept that in practice it isn't, this will force us to modify the containers, because the Dutch government response has been that any application with log4j2 < 2.15 (and probably now 2.16) will be unacceptable. Just so you know.

@dkd-kaehm
Copy link
Collaborator

dkd-kaehm commented Dec 16, 2021

OK,
Apache Solr 8.11.1+ and 9.0+ is required then, see https://issues.apache.org/jira/browse/SOLR-15843.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants