Re: Apache Solr 8.11.1 and Log4J Vulnerability

[Shawn Heisey]

On 4/14/2022 7:18 PM, Shawn Heisey wrote:

https://paste.elyograg.org/view/ed0f1b1e

The required steps are found in the first 33 lines.  The remaining 
43000 lines is the whole build.


To be very specific, the commands I did are on lines 1, 9, 10, 14, 32, 
and 33.

Re: Apache Solr 8.11.1 and Log4J Vulnerability

[Shawn Heisey]

On 4/14/2022 6:14 PM, Shawn Heisey wrote:
If you need to check a compliance box saying you dealt with a 
nonexistent vulnerability, just replace the jars as I already said. 


If you want to get really adventurous, you could clone the git repo, 
check out branch_8_11, and build it yourself.  That build would include 
log4j 2.17.1.


Here's a transcript of a full build session on Ubuntu Linux:

https://paste.elyograg.org/view/ed0f1b1e

The required steps are found in the first 33 lines.  The remaining 43000 
lines is the whole build.


You will need Ant and a Java JDK.  I know that openjdk-8 and openjdk-11 
work.  The build will likely not work on Windows.  Some kind of *NIX 
will probably be required.


On RPM-based distros like RHEL and CentOS, you'll probably have problems 
with the packaged ant.  I know how to fix those if you need it.


If you follow those instructions and the build succeeds, the package 
files will be the following, relative to the top level of the git 
clone.  These work exactly like what you can download from 
solr.apache.org, except most everything has "-SNAPSHOT" in the filenames:


solr/package/solr-8.11.2-SNAPSHOT.tgz
solr/package/solr-8.11.2-SNAPSHOT.zip

Thanks,
Shawn

Re: Apache Solr 8.11.1 and Log4J Vulnerability

[Shawn Heisey]

On 4/14/2022 11:59 AM, Tate, Justina (DTMB) wrote:

Can you please explain how we can go about upgrading Log4J to greater than 
2.16.0.


Just replace the jars in the Solr install directory with newer versions 
obtained directly from the log4j project.


But there's no need.  Solr is not vulnerable to the problems fixed in 
log4j 2.17.


https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228

If you need to check a compliance box saying you dealt with a 
nonexistent vulnerability, just replace the jars as I already said.


Thanks,
Shawn

Apache Solr 8.11.1 and Log4J Vulnerability

[Tate, Justina (DTMB)]

Hello,

Can you please explain how we can go about upgrading Log4J to greater than 
2.16.0.

Thank you,
Justina Tate , MBA
Senior IT Business Analyst
Michigan Department of Technology, Management & Budget Agency Services 
supporting Attorney General and MSHDA
201 N. Washington Square, Ste. 900, Lansing, MI 48933
Office:  (517) 241-2926
Email:  tat...@michigan.gov
LEGAL NOTICE:
This e-mail is for the exclusive use of the intended recipient(s), and may 
contain privileged and confidential information. Any unauthorized review, use, 
disclosure or duplication of this email is expressly prohibited. If you are not 
an intended recipient, please notify the sender immediately, delete the e-mail 
from your computer, and do not copy or disclose it to anyone else. Your receipt 
of this message is not intended to waive any applicable legal privilege, and 
does not constitute an electronic signature or provide consent to contract 
electronically.