See the security advisory:
https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228
Uwe
Am 10. Dezember 2021 19:18:08 UTC schrieb Michael Schumann
:
>It looks like this affects Solr versions >= 7.4. Am I reading this correctly?
>
>
>References:
>https://www.luna
It looks like this affects Solr versions >= 7.4. Am I reading this correctly?
References:
https://www.lunasec.io/docs/blog/log4j-zero-day/
https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html
https://help.aliyun.com/noticelist/articleid/1060971232.html
Log4j 1 is only affected if you have a "special" logging config with custom
appenders that explicitely enable this feature. If anybody does this, heshe
wants it.
Uwe
-
Uwe Schindler
Achterdiek 19, D-28357 Bremen
https://www.thetaphi.de
eMail: u...@thetaphi.de
> -Original Message-
Does anyone know whether ZooKeeper is affected at all? I checked
their mailing list archive this morning to see if there was any
discussion of the issue, but didn't see anything either way.
I would guess they're unaffected - the CVE seems specific to log4j2
and ZK appears to still be on log4j-1.2
Hi,
Log4j 2.15.0 defaults to this setting enabled. This was not the case since the
2nd release candidate this moring and the final log4j release.
No log4j 2.15 had this system property removed, so it does nothing anymore. The
problem with first fix was that there were still other ways to
I’ve already posted an item to our security page. If you have improvements,
please add them, my copy was certainly rushed.
Informing our user list is a good idea too!
On Fri, Dec 10, 2021 at 10:13 AM Cassandra Targett
wrote:
> Uwe, I understand Log4J 2.15.0 is going to address the vulnerabilit
Uwe, I understand Log4J 2.15.0 is going to address the vulnerability, but do
you think we should add the system property 'log4j2.formatMsgNoLookups=true'
anyway, just as a general good practice? I got that impression from reading
your earlier message and wanted to confirm if I was correct.
Even
Hi,
there was a message by the ASF security team to the members list: All projects
should upgrade, but a CVE for each project is NOT needed:
“Note: any updates of ASF projects needed to address this should reference
CVE-2021-44228 and do not require a project-specific CVE.”
Uwe
--
In progress already it seems
https://issues.apache.org/jira/browse/SOLR-15843
On Fri, Dec 10, 2021 at 7:29 AM Gus Heck wrote:
> i think upgrade is a preferable solution lest we field repeated
> emails/jiras about vulnerability scanners detecting it.
>
> On Fri, Dec 10, 2021 at 6:24 AM Uwe Schind
i think upgrade is a preferable solution lest we field repeated
emails/jiras about vulnerability scanners detecting it.
On Fri, Dec 10, 2021 at 6:24 AM Uwe Schindler wrote:
> With log4j 2.15.0 this should be fixed and by default all expansions on
> log messages were disabled:
> https://issues.ap
With log4j 2.15.0 this should be fixed and by default all expansions on log
messages were disabled: https://issues.apache.org/jira/browse/LOG4J2-3198
-
Uwe Schindler
Achterdiek 19, D-28357 Bremen
https://www.thetaphi.de
eMail: u...@thetaphi.de
> -Original Message-
> From: Uwe Schindl
On 10/12/2021 11.10, Uwe Schindler wrote:
In general the sysprop "log4j2.formatMsgNoLookups=true" fix is the only correct
fix (maybe add it to the bootstrap class of solr). Updating log4j is not really needed.
This prevents any of those shit. There's no reason ever to parse ${} escapes in log
In general the sysprop "log4j2.formatMsgNoLookups=true" fix is the only correct
fix (maybe add it to the bootstrap class of solr). Updating log4j is not really
needed. This prevents any of those shit. There's no reason ever to parse ${}
escapes in log messages. The only place where this can be u
Hi,
I did some checks:
- The problem also exists with logging parameters, so it is also executed if
you call (which is IMHO a design failure in log4j, the reason for this is that
the expansion is happending on printing the complete formatted log string to
the output file): logger.info("Foobar:
Hello,
I sent another commit which I changed the improvement based on feedbacks, I
am waiting for you to check so I can move forward with another improvements.
On Sun, 28 Nov 2021 at 20:43, Betül İnce wrote:
> Thank you for your kind reply and support! I am looking for ways to
> contribute.
>
>
15 matches
Mail list logo
