From 43d1bfe49b76807a5e1bf1cc9607cd894ea11179 Mon Sep 17 00:00:00 2001 From: Mike Drob Date: Thu, 9 Dec 2021 18:59:53 -0600 Subject: [PATCH 1/5] SOLR-15843 Update Log4J to 2.15 --- solr/CHANGES.txt | 5 +++++ solr/licenses/log4j-1.2-api-2.14.1.jar.sha1 | 1 - solr/licenses/log4j-1.2-api-2.15.0.jar.sha1 | 1 + solr/licenses/log4j-api-2.14.1.jar.sha1 | 1 - solr/licenses/log4j-api-2.15.0.jar.sha1 | 1 + solr/licenses/log4j-core-2.14.1.jar.sha1 | 1 - solr/licenses/log4j-core-2.15.0.jar.sha1 | 1 + solr/licenses/log4j-layout-template-json-2.14.1.jar.sha1 | 1 - solr/licenses/log4j-layout-template-json-2.15.0.jar.sha1 | 1 + solr/licenses/log4j-slf4j-impl-2.14.1.jar.sha1 | 1 - solr/licenses/log4j-slf4j-impl-2.15.0.jar.sha1 | 1 + solr/licenses/log4j-web-2.14.1.jar.sha1 | 1 - solr/licenses/log4j-web-2.15.0.jar.sha1 | 1 + versions.lock | 8 ++++---- versions.props | 2 +- 15 files changed, 16 insertions(+), 11 deletions(-) delete mode 100644 solr/licenses/log4j-1.2-api-2.14.1.jar.sha1 create mode 100644 solr/licenses/log4j-1.2-api-2.15.0.jar.sha1 delete mode 100644 solr/licenses/log4j-api-2.14.1.jar.sha1 create mode 100644 solr/licenses/log4j-api-2.15.0.jar.sha1 delete mode 100644 solr/licenses/log4j-core-2.14.1.jar.sha1 create mode 100644 solr/licenses/log4j-core-2.15.0.jar.sha1 delete mode 100644 solr/licenses/log4j-layout-template-json-2.14.1.jar.sha1 create mode 100644 solr/licenses/log4j-layout-template-json-2.15.0.jar.sha1 delete mode 100644 solr/licenses/log4j-slf4j-impl-2.14.1.jar.sha1 create mode 100644 solr/licenses/log4j-slf4j-impl-2.15.0.jar.sha1 delete mode 100644 solr/licenses/log4j-web-2.14.1.jar.sha1 create mode 100644 solr/licenses/log4j-web-2.15.0.jar.sha1 diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt index 28757ad9f4b..0857b6faa82 100644 --- a/solr/CHANGES.txt +++ b/solr/CHANGES.txt @@ -476,6 +476,11 @@ Bug Fixes * SOLR-8319: Fix NPE in pivot facets, add non-Analyzed query method in FieldType. (Houston Putman, Isabelle Giguere) +Other Changes +--------------------- + +* SOLR-15843: Update Log4J to 2.15 (Mike Drob) + ================== 8.11.0 ================== Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release. diff --git a/solr/licenses/log4j-1.2-api-2.14.1.jar.sha1 b/solr/licenses/log4j-1.2-api-2.14.1.jar.sha1 deleted file mode 100644 index ef0bdbd2869..00000000000 --- a/solr/licenses/log4j-1.2-api-2.14.1.jar.sha1 +++ /dev/null @@ -1 +0,0 @@ -6bfcc76fa1a1a41295aff0042200aaa82d9ac286 diff --git a/solr/licenses/log4j-1.2-api-2.15.0.jar.sha1 b/solr/licenses/log4j-1.2-api-2.15.0.jar.sha1 new file mode 100644 index 00000000000..5eb0d83d7a2 --- /dev/null +++ b/solr/licenses/log4j-1.2-api-2.15.0.jar.sha1 @@ -0,0 +1 @@ +bc960fe2acbe6f3952011f88a771de18301534e7 diff --git a/solr/licenses/log4j-api-2.14.1.jar.sha1 b/solr/licenses/log4j-api-2.14.1.jar.sha1 deleted file mode 100644 index 650ed8c0ef9..00000000000 --- a/solr/licenses/log4j-api-2.14.1.jar.sha1 +++ /dev/null @@ -1 +0,0 @@ -cd8858fbbde69f46bce8db1152c18a43328aae78 diff --git a/solr/licenses/log4j-api-2.15.0.jar.sha1 b/solr/licenses/log4j-api-2.15.0.jar.sha1 new file mode 100644 index 00000000000..460ceeea69a --- /dev/null +++ b/solr/licenses/log4j-api-2.15.0.jar.sha1 @@ -0,0 +1 @@ +4a5aa7e55a29391c6f66e0b259d5189aa11e45d0 diff --git a/solr/licenses/log4j-core-2.14.1.jar.sha1 b/solr/licenses/log4j-core-2.14.1.jar.sha1 deleted file mode 100644 index 692beb9b1a5..00000000000 --- a/solr/licenses/log4j-core-2.14.1.jar.sha1 +++ /dev/null @@ -1 +0,0 @@ -9141212b8507ab50a45525b545b39d224614528b diff --git a/solr/licenses/log4j-core-2.15.0.jar.sha1 b/solr/licenses/log4j-core-2.15.0.jar.sha1 new file mode 100644 index 00000000000..7ed98527bf0 --- /dev/null +++ b/solr/licenses/log4j-core-2.15.0.jar.sha1 @@ -0,0 +1 @@ +ba55c13d7ac2fd44df9cc8074455719a33f375b9 diff --git a/solr/licenses/log4j-layout-template-json-2.14.1.jar.sha1 b/solr/licenses/log4j-layout-template-json-2.14.1.jar.sha1 deleted file mode 100644 index e277e2a80cf..00000000000 --- a/solr/licenses/log4j-layout-template-json-2.14.1.jar.sha1 +++ /dev/null @@ -1 +0,0 @@ -40f93aa5aa26435353d52469ed7b6cebb1126240 diff --git a/solr/licenses/log4j-layout-template-json-2.15.0.jar.sha1 b/solr/licenses/log4j-layout-template-json-2.15.0.jar.sha1 new file mode 100644 index 00000000000..49d17206794 --- /dev/null +++ b/solr/licenses/log4j-layout-template-json-2.15.0.jar.sha1 @@ -0,0 +1 @@ +295580f2a67d6af4e276dd415dc3d78cf0167208 diff --git a/solr/licenses/log4j-slf4j-impl-2.14.1.jar.sha1 b/solr/licenses/log4j-slf4j-impl-2.14.1.jar.sha1 deleted file mode 100644 index 4731cdbc3ff..00000000000 --- a/solr/licenses/log4j-slf4j-impl-2.14.1.jar.sha1 +++ /dev/null @@ -1 +0,0 @@ -9a40554b8dab7ac9606089c87ae8a5ba914ec932 diff --git a/solr/licenses/log4j-slf4j-impl-2.15.0.jar.sha1 b/solr/licenses/log4j-slf4j-impl-2.15.0.jar.sha1 new file mode 100644 index 00000000000..d967b1154e1 --- /dev/null +++ b/solr/licenses/log4j-slf4j-impl-2.15.0.jar.sha1 @@ -0,0 +1 @@ +8bb417869ab3baa19f2fc70e6d776d041f0a8ebc diff --git a/solr/licenses/log4j-web-2.14.1.jar.sha1 b/solr/licenses/log4j-web-2.14.1.jar.sha1 deleted file mode 100644 index a0aedbf6002..00000000000 --- a/solr/licenses/log4j-web-2.14.1.jar.sha1 +++ /dev/null @@ -1 +0,0 @@ -cab83afbb8f2efdc730035b86d6f7b170c3cc2e7 diff --git a/solr/licenses/log4j-web-2.15.0.jar.sha1 b/solr/licenses/log4j-web-2.15.0.jar.sha1 new file mode 100644 index 00000000000..83513b19775 --- /dev/null +++ b/solr/licenses/log4j-web-2.15.0.jar.sha1 @@ -0,0 +1 @@ +0e2b1512cb85e38326844bdb707b6673e0e70eeb diff --git a/versions.lock b/versions.lock index ddc4771de34..668f9fa2261 100644 --- a/versions.lock +++ b/versions.lock @@ -127,9 +127,9 @@ org.apache.kerby:kerby-asn1:1.0.1 (1 constraints: fd0be9f4) org.apache.kerby:kerby-config:1.0.1 (4 constraints: 4d3182b9) org.apache.kerby:kerby-pkix:1.0.1 (1 constraints: 710bfce4) org.apache.kerby:kerby-util:1.0.1 (2 constraints: 6518bdb6) -org.apache.logging.log4j:log4j-api:2.14.1 (4 constraints: d033fab0) -org.apache.logging.log4j:log4j-core:2.14.1 (2 constraints: 0d16b624) -org.apache.logging.log4j:log4j-slf4j-impl:2.14.1 (1 constraints: 3a053c3b) +org.apache.logging.log4j:log4j-api:2.15.0 (4 constraints: d03302b1) +org.apache.logging.log4j:log4j-core:2.15.0 (2 constraints: 0d16ba24) +org.apache.logging.log4j:log4j-slf4j-impl:2.15.0 (1 constraints: 3a053e3b) org.apache.lucene:lucene-analysis-common:9.0.0 (10 constraints: ac9e842f) org.apache.lucene:lucene-analysis-icu:9.0.0 (1 constraints: 0b051836) org.apache.lucene:lucene-analysis-kuromoji:9.0.0 (1 constraints: 0b051836) @@ -317,7 +317,7 @@ org.apache.kerby:kerb-common:1.0.1 (2 constraints: a51841ca) org.apache.kerby:kerb-identity:1.0.1 (1 constraints: 5f0cb602) org.apache.kerby:kerb-server:1.0.1 (1 constraints: d10b65f2) org.apache.kerby:kerb-simplekdc:1.0.1 (1 constraints: dc0d7e3e) -org.apache.logging.log4j:log4j-1.2-api:2.14.1 (1 constraints: 3a053c3b) +org.apache.logging.log4j:log4j-1.2-api:2.15.0 (1 constraints: 3a053e3b) org.asciidoctor:asciidoctorj:1.6.2 (1 constraints: 0b050436) org.asciidoctor:asciidoctorj-api:1.6.2 (1 constraints: e30cfb0d) org.freemarker:freemarker:2.3.31 (1 constraints: ef0e9271) diff --git a/versions.props b/versions.props index 9a250b41dea..c7f6e341343 100644 --- a/versions.props +++ b/versions.props @@ -88,7 +88,7 @@ org.apache.httpcomponents:httpcore=4.4.13 org.apache.httpcomponents:httpmime=4.5.10 org.apache.james:apache-mime4j*=0.8.3 org.apache.kerby:*=1.0.1 -org.apache.logging.log4j:*=2.14.1 +org.apache.logging.log4j:*=2.15.0 org.apache.lucene:*=9.0.0 org.apache.opennlp:opennlp-tools=1.9.1 org.apache.pdfbox:*=2.0.24 From 7ab0fc76164a4f29402d2e0d1be1028ffc7e58f7 Mon Sep 17 00:00:00 2001 From: Mike Drob Date: Fri, 10 Dec 2021 09:44:17 -0600 Subject: [PATCH 2/5] SOLR-15843 Add examples to solr.in.* --- solr/bin/solr.in.cmd | 4 ++++ solr/bin/solr.in.sh | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/solr/bin/solr.in.cmd b/solr/bin/solr.in.cmd index 4eb073eb9a3..feded12884e 100755 --- a/solr/bin/solr.in.cmd +++ b/solr/bin/solr.in.cmd @@ -214,3 +214,7 @@ REM Solr is by default allowed to read and write data from/to SOLR_HOME and a fe REM Sometimes it may be necessary to place a core or a backup on a different location or a different disk REM This parameter lets you specify file system path(s) to explicitly allow. The special value of '*' will allow any path REM SOLR_OPTS="%SOLR_OPTS% -Dsolr.allowPaths=D:\,E:\other\path" + +REM Some previous versions of Solr use an outdated log4j dependency. If you are unable to use at least log4j version 2.15.0 +REM then enable the following setting to address CVE-2021-44228 +REM SOLR_OPTS="%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true" diff --git a/solr/bin/solr.in.sh b/solr/bin/solr.in.sh index c0493cffafb..e1daa012b17 100644 --- a/solr/bin/solr.in.sh +++ b/solr/bin/solr.in.sh @@ -258,3 +258,7 @@ # You can test this behaviour by setting SOLR_HEAP=25m #SOLR_HEAP_DUMP=true #SOLR_HEAP_DUMP_DIR=/var/log/dumps + +# Some previous versions of Solr use an outdated log4j dependency. If you are unable to use at least log4j version 2.15.0 +# then enable the following setting to address CVE-2021-44228 +# SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true" From 9ebaaccab3f876d3bea570ef510fbdd9cf6ca17d Mon Sep 17 00:00:00 2001 From: Mike Drob Date: Fri, 10 Dec 2021 10:08:23 -0600 Subject: [PATCH 3/5] Fix CHANGES --- solr/CHANGES.txt | 3 --- 1 file changed, 3 deletions(-) diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt index 0857b6faa82..a79818864fa 100644 --- a/solr/CHANGES.txt +++ b/solr/CHANGES.txt @@ -476,9 +476,6 @@ Bug Fixes * SOLR-8319: Fix NPE in pivot facets, add non-Analyzed query method in FieldType. (Houston Putman, Isabelle Giguere) -Other Changes ---------------------- - * SOLR-15843: Update Log4J to 2.15 (Mike Drob) ================== 8.11.0 ================== From a6ae83e32cf6e244f01461fec944c052f3ec7498 Mon Sep 17 00:00:00 2001 From: Mike Drob Date: Fri, 10 Dec 2021 11:19:49 -0600 Subject: [PATCH 4/5] Fix quotes for Windows --- solr/bin/solr.in.cmd | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/solr/bin/solr.in.cmd b/solr/bin/solr.in.cmd index feded12884e..ce3cdb7e670 100755 --- a/solr/bin/solr.in.cmd +++ b/solr/bin/solr.in.cmd @@ -213,8 +213,8 @@ REM set SOLR_ADMIN_UI_DISABLED=false REM Solr is by default allowed to read and write data from/to SOLR_HOME and a few other well defined locations REM Sometimes it may be necessary to place a core or a backup on a different location or a different disk REM This parameter lets you specify file system path(s) to explicitly allow. The special value of '*' will allow any path -REM SOLR_OPTS="%SOLR_OPTS% -Dsolr.allowPaths=D:\,E:\other\path" +REM SOLR_OPTS=%SOLR_OPTS% -Dsolr.allowPaths=D:\,E:\other\path REM Some previous versions of Solr use an outdated log4j dependency. If you are unable to use at least log4j version 2.15.0 REM then enable the following setting to address CVE-2021-44228 -REM SOLR_OPTS="%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true" +REM SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true From 345a95adb98f3c5fb19b7aa63422030b9111f6d2 Mon Sep 17 00:00:00 2001 From: Mike Drob Date: Fri, 10 Dec 2021 11:22:38 -0600 Subject: [PATCH 5/5] Fix Windows again --- solr/bin/solr.in.cmd | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/solr/bin/solr.in.cmd b/solr/bin/solr.in.cmd index ce3cdb7e670..95da0aac394 100755 --- a/solr/bin/solr.in.cmd +++ b/solr/bin/solr.in.cmd @@ -213,8 +213,8 @@ REM set SOLR_ADMIN_UI_DISABLED=false REM Solr is by default allowed to read and write data from/to SOLR_HOME and a few other well defined locations REM Sometimes it may be necessary to place a core or a backup on a different location or a different disk REM This parameter lets you specify file system path(s) to explicitly allow. The special value of '*' will allow any path -REM SOLR_OPTS=%SOLR_OPTS% -Dsolr.allowPaths=D:\,E:\other\path +REM set SOLR_OPTS=%SOLR_OPTS% -Dsolr.allowPaths=D:\,E:\other\path REM Some previous versions of Solr use an outdated log4j dependency. If you are unable to use at least log4j version 2.15.0 REM then enable the following setting to address CVE-2021-44228 -REM SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true +REM set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true