Join Bridgewater State University for a Website Search Webinar on Dec. 10 | REGISTER NOW
SearchStax Site Search solution is engineered to give marketers the agility they need to optimize site search outcomes. Get full visibility into search analytics and make real-time changes with one click.
SearchStax Managed Search service automates, manages and scales hosted Solr infrastructure in public or private clouds. Free up developers for value-added tasks and reduce costs with fewer incidents.
Dec. 12, 2021
Dipsy Kapoor
|
CVE-2021-44228 was initially announced on Github Advisory on December 10, 2021, as a Critical Vulnerability affected Log4j versions prior to 2.15.0. Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the LDAP JNDI parser.
Solr Security website reports that Solr versions 7.4.0 to 7.7.3, 8.0.0 to 8.11.0 are affected by the Log4j Flaw Vulnerability.
During the initial analysis by Github Advisory and NVD, it was stated that “Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting “com.sun.jndi.rmi.object.trustURLCodebase” and “com.sun.jndi.cosnaming.object.trustURLCodebase” to “false””
As of December 12, 2021, the above mitigation advice has been removed from both Github Advisory and the NVD website. SearchStax team is treating this as a Critical Security Update and is going ahead with applying the mitigation advice of adding SOLR_OPTS=”$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true” to the startup scripts for all its deployments.
As of December 12, 2021 7:20 pm US Pacific time, all Solr deployments 7.4.0 and above have been patched by the SearchStax team. Other Solr versions have not been affected by CVE-2021-44228 as mentioned in the Solr Security website
Solr Security Site has been updated and confirms that Solr is not vulnerable to CVE-2021-45046 and CVE-2021-45105
“Apache Solr releases are not vulnerable to the followup CVE-2021-45046 and CVE-2021-45105, because the MDC patterns used by Solr are for the collection, shard, replica, core and node names, and a potential trace id, which are all sanitized and injected into log files with “%X
“. Passing system property log4j2.formatMsgNoLookups=true
(as described below) is suitable to mitigate.”
log4j2.formatMsgNoLookups=true
SearchStax now offers Solr 8.11.1 which does not have this vulnerability.
If you have any questions, please reach out to support@searchstax.com
The Stack is delivered bi-monthly with industry trends, insights, products and more
Copyrights © SearchStax Inc.2014-2024. All Rights Reserved.