Skip to content
This repository has been archived by the owner on Aug 6, 2022. It is now read-only.

CVE-2021-44228 Remediation in PR #396 Insufficient according to CVE-2021-45046 #398

Closed
pwhite2 opened this issue Dec 15, 2021 · 8 comments
Closed

Comments

@pwhite2
Copy link

pwhite2 commented Dec 15, 2021

According to CVE-2021-45046 (released today), "previous mitigations involving configuration such as to set the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability". It sounds like you'll need to remove the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class) or upgrade to log4j 2.16.0 to properly remediate the issue.

@plumdog
Copy link

plumdog commented Dec 15, 2021

From apache/solr#454 (comment), it looks like Solr is not affected and that the original log4j2.noFormatMsgLookup=true mitigation is sufficient.

Though, I guess the Docker images could apply the zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class mitigation. If Solr isn't using it, this will not break anything and will apply the best mitigation currently known.

@pwhite2
Copy link
Author

pwhite2 commented Dec 15, 2021

Thanks @plumdog , that would be great - I'm sure that would go a long way towards easing customer concerns.

@bmaehr
Copy link

bmaehr commented Dec 16, 2021

An official SOLR 8.11.1 is out

@waja
Copy link

waja commented Dec 16, 2021

@plumdog
Copy link

plumdog commented Dec 16, 2021

However, as I understand it, there is no intention to release patched earlier versions, eg, no 8.9.1.

@dsmiley
Copy link
Contributor

dsmiley commented Dec 16, 2021

Looks like I commented on the wrong issue yesterday so I will re-do it here for the relevant sentences:

I'm on top of what's being reported out there, and I don't see a need to post such an issue for CVE-2021-45046 (leading to Log4j 2.16.0) as Solr isn't vulnerable to that. In summary, user input isn't in MDC thus Solr isn't vulnerable.
Regardless, the Solr project will upgrade Log4j in 8.11.1 because vulnerability scanners simply can't possibly know what a project is actually vulnerable to based on how it uses the software in question.

Solr's security bulletin on this has been updated a lot lately; definitely check it out.

@dsmiley dsmiley closed this as completed Dec 16, 2021
@bmaehr
Copy link

bmaehr commented Dec 16, 2021

@dsmiley As there is a SOLR 8.11.1 would it be possible to build the image even if SOLR is not affected?

@dsmiley
Copy link
Contributor

dsmiley commented Dec 17, 2021

There will definitely be an 8.11.1 docker image: #401

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants