diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt index 28757ad9f4b..a79818864fa 100644 --- a/solr/CHANGES.txt +++ b/solr/CHANGES.txt @@ -476,6 +476,8 @@ Bug Fixes * SOLR-8319: Fix NPE in pivot facets, add non-Analyzed query method in FieldType. (Houston Putman, Isabelle Giguere) +* SOLR-15843: Update Log4J to 2.15 (Mike Drob) + ================== 8.11.0 ================== Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release. diff --git a/solr/bin/solr.in.cmd b/solr/bin/solr.in.cmd index 4eb073eb9a3..95da0aac394 100755 --- a/solr/bin/solr.in.cmd +++ b/solr/bin/solr.in.cmd @@ -213,4 +213,8 @@ REM set SOLR_ADMIN_UI_DISABLED=false REM Solr is by default allowed to read and write data from/to SOLR_HOME and a few other well defined locations REM Sometimes it may be necessary to place a core or a backup on a different location or a different disk REM This parameter lets you specify file system path(s) to explicitly allow. The special value of '*' will allow any path -REM SOLR_OPTS="%SOLR_OPTS% -Dsolr.allowPaths=D:\,E:\other\path" +REM set SOLR_OPTS=%SOLR_OPTS% -Dsolr.allowPaths=D:\,E:\other\path + +REM Some previous versions of Solr use an outdated log4j dependency. If you are unable to use at least log4j version 2.15.0 +REM then enable the following setting to address CVE-2021-44228 +REM set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true diff --git a/solr/bin/solr.in.sh b/solr/bin/solr.in.sh index c0493cffafb..e1daa012b17 100644 --- a/solr/bin/solr.in.sh +++ b/solr/bin/solr.in.sh @@ -258,3 +258,7 @@ # You can test this behaviour by setting SOLR_HEAP=25m #SOLR_HEAP_DUMP=true #SOLR_HEAP_DUMP_DIR=/var/log/dumps + +# Some previous versions of Solr use an outdated log4j dependency. If you are unable to use at least log4j version 2.15.0 +# then enable the following setting to address CVE-2021-44228 +# SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true" diff --git a/solr/licenses/log4j-1.2-api-2.14.1.jar.sha1 b/solr/licenses/log4j-1.2-api-2.14.1.jar.sha1 deleted file mode 100644 index ef0bdbd2869..00000000000 --- a/solr/licenses/log4j-1.2-api-2.14.1.jar.sha1 +++ /dev/null @@ -1 +0,0 @@ -6bfcc76fa1a1a41295aff0042200aaa82d9ac286 diff --git a/solr/licenses/log4j-1.2-api-2.15.0.jar.sha1 b/solr/licenses/log4j-1.2-api-2.15.0.jar.sha1 new file mode 100644 index 00000000000..5eb0d83d7a2 --- /dev/null +++ b/solr/licenses/log4j-1.2-api-2.15.0.jar.sha1 @@ -0,0 +1 @@ +bc960fe2acbe6f3952011f88a771de18301534e7 diff --git a/solr/licenses/log4j-api-2.14.1.jar.sha1 b/solr/licenses/log4j-api-2.14.1.jar.sha1 deleted file mode 100644 index 650ed8c0ef9..00000000000 --- a/solr/licenses/log4j-api-2.14.1.jar.sha1 +++ /dev/null @@ -1 +0,0 @@ -cd8858fbbde69f46bce8db1152c18a43328aae78 diff --git a/solr/licenses/log4j-api-2.15.0.jar.sha1 b/solr/licenses/log4j-api-2.15.0.jar.sha1 new file mode 100644 index 00000000000..460ceeea69a --- /dev/null +++ b/solr/licenses/log4j-api-2.15.0.jar.sha1 @@ -0,0 +1 @@ +4a5aa7e55a29391c6f66e0b259d5189aa11e45d0 diff --git a/solr/licenses/log4j-core-2.14.1.jar.sha1 b/solr/licenses/log4j-core-2.14.1.jar.sha1 deleted file mode 100644 index 692beb9b1a5..00000000000 --- a/solr/licenses/log4j-core-2.14.1.jar.sha1 +++ /dev/null @@ -1 +0,0 @@ -9141212b8507ab50a45525b545b39d224614528b diff --git a/solr/licenses/log4j-core-2.15.0.jar.sha1 b/solr/licenses/log4j-core-2.15.0.jar.sha1 new file mode 100644 index 00000000000..7ed98527bf0 --- /dev/null +++ b/solr/licenses/log4j-core-2.15.0.jar.sha1 @@ -0,0 +1 @@ +ba55c13d7ac2fd44df9cc8074455719a33f375b9 diff --git a/solr/licenses/log4j-layout-template-json-2.14.1.jar.sha1 b/solr/licenses/log4j-layout-template-json-2.14.1.jar.sha1 deleted file mode 100644 index e277e2a80cf..00000000000 --- a/solr/licenses/log4j-layout-template-json-2.14.1.jar.sha1 +++ /dev/null @@ -1 +0,0 @@ -40f93aa5aa26435353d52469ed7b6cebb1126240 diff --git a/solr/licenses/log4j-layout-template-json-2.15.0.jar.sha1 b/solr/licenses/log4j-layout-template-json-2.15.0.jar.sha1 new file mode 100644 index 00000000000..49d17206794 --- /dev/null +++ b/solr/licenses/log4j-layout-template-json-2.15.0.jar.sha1 @@ -0,0 +1 @@ +295580f2a67d6af4e276dd415dc3d78cf0167208 diff --git a/solr/licenses/log4j-slf4j-impl-2.14.1.jar.sha1 b/solr/licenses/log4j-slf4j-impl-2.14.1.jar.sha1 deleted file mode 100644 index 4731cdbc3ff..00000000000 --- a/solr/licenses/log4j-slf4j-impl-2.14.1.jar.sha1 +++ /dev/null @@ -1 +0,0 @@ -9a40554b8dab7ac9606089c87ae8a5ba914ec932 diff --git a/solr/licenses/log4j-slf4j-impl-2.15.0.jar.sha1 b/solr/licenses/log4j-slf4j-impl-2.15.0.jar.sha1 new file mode 100644 index 00000000000..d967b1154e1 --- /dev/null +++ b/solr/licenses/log4j-slf4j-impl-2.15.0.jar.sha1 @@ -0,0 +1 @@ +8bb417869ab3baa19f2fc70e6d776d041f0a8ebc diff --git a/solr/licenses/log4j-web-2.14.1.jar.sha1 b/solr/licenses/log4j-web-2.14.1.jar.sha1 deleted file mode 100644 index a0aedbf6002..00000000000 --- a/solr/licenses/log4j-web-2.14.1.jar.sha1 +++ /dev/null @@ -1 +0,0 @@ -cab83afbb8f2efdc730035b86d6f7b170c3cc2e7 diff --git a/solr/licenses/log4j-web-2.15.0.jar.sha1 b/solr/licenses/log4j-web-2.15.0.jar.sha1 new file mode 100644 index 00000000000..83513b19775 --- /dev/null +++ b/solr/licenses/log4j-web-2.15.0.jar.sha1 @@ -0,0 +1 @@ +0e2b1512cb85e38326844bdb707b6673e0e70eeb diff --git a/versions.lock b/versions.lock index ddc4771de34..668f9fa2261 100644 --- a/versions.lock +++ b/versions.lock @@ -127,9 +127,9 @@ org.apache.kerby:kerby-asn1:1.0.1 (1 constraints: fd0be9f4) org.apache.kerby:kerby-config:1.0.1 (4 constraints: 4d3182b9) org.apache.kerby:kerby-pkix:1.0.1 (1 constraints: 710bfce4) org.apache.kerby:kerby-util:1.0.1 (2 constraints: 6518bdb6) -org.apache.logging.log4j:log4j-api:2.14.1 (4 constraints: d033fab0) -org.apache.logging.log4j:log4j-core:2.14.1 (2 constraints: 0d16b624) -org.apache.logging.log4j:log4j-slf4j-impl:2.14.1 (1 constraints: 3a053c3b) +org.apache.logging.log4j:log4j-api:2.15.0 (4 constraints: d03302b1) +org.apache.logging.log4j:log4j-core:2.15.0 (2 constraints: 0d16ba24) +org.apache.logging.log4j:log4j-slf4j-impl:2.15.0 (1 constraints: 3a053e3b) org.apache.lucene:lucene-analysis-common:9.0.0 (10 constraints: ac9e842f) org.apache.lucene:lucene-analysis-icu:9.0.0 (1 constraints: 0b051836) org.apache.lucene:lucene-analysis-kuromoji:9.0.0 (1 constraints: 0b051836) @@ -317,7 +317,7 @@ org.apache.kerby:kerb-common:1.0.1 (2 constraints: a51841ca) org.apache.kerby:kerb-identity:1.0.1 (1 constraints: 5f0cb602) org.apache.kerby:kerb-server:1.0.1 (1 constraints: d10b65f2) org.apache.kerby:kerb-simplekdc:1.0.1 (1 constraints: dc0d7e3e) -org.apache.logging.log4j:log4j-1.2-api:2.14.1 (1 constraints: 3a053c3b) +org.apache.logging.log4j:log4j-1.2-api:2.15.0 (1 constraints: 3a053e3b) org.asciidoctor:asciidoctorj:1.6.2 (1 constraints: 0b050436) org.asciidoctor:asciidoctorj-api:1.6.2 (1 constraints: e30cfb0d) org.freemarker:freemarker:2.3.31 (1 constraints: ef0e9271) diff --git a/versions.props b/versions.props index 9a250b41dea..c7f6e341343 100644 --- a/versions.props +++ b/versions.props @@ -88,7 +88,7 @@ org.apache.httpcomponents:httpcore=4.4.13 org.apache.httpcomponents:httpmime=4.5.10 org.apache.james:apache-mime4j*=0.8.3 org.apache.kerby:*=1.0.1 -org.apache.logging.log4j:*=2.14.1 +org.apache.logging.log4j:*=2.15.0 org.apache.lucene:*=9.0.0 org.apache.opennlp:opennlp-tools=1.9.1 org.apache.pdfbox:*=2.0.24