Solr Security Site has been updated with new information –ĬVE-2021-44228: “Apache Solr releases prior to 7.4 (i.e. The Zookeepers use log4j 1.2.17 and below (See their latest pom here) and so are also not affected by CVE-2021-45046 and CVE-2021-44228 Update: December 16, 2021, 2:00pm PT All SearchStax Solr deployments use log4j2 version 2.13.x and below and so are not affected by this vulnerability. It mentions that the fix for CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. Other Solr versions have not been affected by CVE-2021-44228 as mentioned in the Solr Security website Update: December 15, 2021, 6:30pm PTĪ new vulnerability CVE-2021-45046 has been published by NVD. Update: December 12, 2021, 7:20pm PTĪs of Decem7:20 pm US Pacific time, all Solr deployments 7.4.0 and above have been patched by the SearchStax team. SearchStax team is treating this as a Critical Security Update and is going ahead with applying the mitigation advice of adding SOLR_OPTS=”$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true” to the startup scripts for all its deployments. Critical Security Updateĭuring the initial analysis by Github Advisory and NVD, it was stated that “Java 8u121 (see ) protects against remote code execution by defaulting “.ustURLCodebase” and “.ustURLCodebase” to “false””Īs of December 12, 2021, the above mitigation advice has been removed from both Github Advisory and the NVD website. Solr Security website reports that Solr versions 7.4.0 to 7.7.3, 8.0.0 to 8.11.0 are affected by the Log4j Flaw Vulnerability. Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the LDAP JNDI parser. CVE-2021-44228 was initially announced on Github Advisory on December 10, 2021, as a Critical Vulnerability affected Log4j versions prior to 2.15.0.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |