-
Notifications
You must be signed in to change notification settings - Fork 290
CVE-2021-44228 Remediation in PR #396 Insufficient according to CVE-2021-45046 #398
Comments
From apache/solr#454 (comment), it looks like Solr is not affected and that the original Though, I guess the Docker images could apply the |
Thanks @plumdog , that would be great - I'm sure that would go a long way towards easing customer concerns. |
An official SOLR 8.11.1 is out |
https://solr.apache.org/docs/8_11_1/changes/Changes.html#v8.11.1.bug_fixes has all the changes ... the relevant part:
|
However, as I understand it, there is no intention to release patched earlier versions, eg, no 8.9.1. |
Looks like I commented on the wrong issue yesterday so I will re-do it here for the relevant sentences:
|
@dsmiley As there is a SOLR 8.11.1 would it be possible to build the image even if SOLR is not affected? |
There will definitely be an 8.11.1 docker image: #401 |
According to CVE-2021-45046 (released today), "previous mitigations involving configuration such as to set the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability". It sounds like you'll need to remove the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class) or upgrade to log4j 2.16.0 to properly remediate the issue.
The text was updated successfully, but these errors were encountered: