How SearchStax is Handling CVE-2021-44228 / Log4j Flaw Vulnerability for Solr

How SearchStax is Handling CVE-2021-44228-Log4j Vulnerability -- pexels-tima-miroshnichenko-5380664

CVE-2021-44228 was initially announced on Github Advisory on December 10, 2021 as a Critical Vulnerability affected Log4j versions prior to 2.15.0. Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the LDAP JNDI parser.

Solr Security website reports that Solr versions 7.4.0 to 7.7.3, 8.0.0 to 8.11.0 are affected by the Log4j Flaw Vulnerability.

Critical Security Update

During the initial analysis by Github Advisory and NVD, it was stated that “Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting “com.sun.jndi.rmi.object.trustURLCodebase” and “com.sun.jndi.cosnaming.object.trustURLCodebase” to “false””

As of December 12, 2021, the above mitigation advice has been removed from both Github Advisory and the NVD website. SearchStax team is treating this as a Critical Security Update and is going ahead with applying the mitigation advice of adding SOLR_OPTS=”$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true” to the startup scripts for all its deployments.

Update: December 12, 2021, 7:20pm PT

As of December 12, 2021 7:20 pm US Pacific time, all Solr deployments 7.4.0 and above have been patched by the SearchStax team. Other Solr versions have not been affected by CVE-2021-44228 as mentioned in the Solr Security website

Update: December 15, 2021, 6:30pm PT

A new vulnerability CVE-2021-45046 has been published by NVD. It mentions that the fix for CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. All SearchStax Solr deployments use log4j2 version 2.13.x and below and so are not affected by this vulnerability.

The Zookeepers use log4j 1.2.17 and below (See their latest pom here) and so are also not affected by CVE-2021-45046 and CVE-2021-44228

 

Update: December 16, 20201, 2:00pm PT

Solr Security Site has been updated with new information –

CVE-2021-44228: “Apache Solr releases prior to 7.4 (i.e. Solr 5, Solr 6, and Solr 7 through 7.3) use Log4J 1.2.17 which may be vulnerable for installations using non-default logging configurations that include the JMS Appender, see https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 for discussion.”

“Apache Solr releases are not vulnerable to the followup CVE-2021-45046, because the MDC patterns used by Solr are for the collection, shard, replica, core and node names, and a potential trace id, which are all sanitized. Passing system property log4j2.formatMsgNoLookups=true (as described below) is suitable to mitigate.”

 

Update: December 20, 20201, 11:40pm PT

Solr Security Site has been updated and confirms that Solr is not vulnerable to CVE-2021-45046 and CVE-2021-45105

“Apache Solr releases are not vulnerable to the followup CVE-2021-45046 and CVE-2021-45105, because the MDC patterns used by Solr are for the collection, shard, replica, core and node names, and a potential trace id, which are all sanitized and injected into log files with “%X“. Passing system property log4j2.formatMsgNoLookups=true (as described below) is suitable to mitigate.”

SearchStax deployments do NOT use JMSAppender and all deployments with Solr versions above 7.4.0 have been patched to include log4j2.formatMsgNoLookups=true

If you have any questions, please reach out to support@searchstax.com