From 9b1a76f8b5e84c2927f41c286ceb27aab20eeeb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20H=C3=B8ydahl?= Date: Sat, 18 Dec 2021 17:39:25 +0100 Subject: [PATCH 1/6] Update Solr's lading page on docker-hub with log4shell info, and also refresh links, copyright year etc. --- solr/content.md | 13 +++++++++++-- solr/get-help.md | 2 +- solr/license.md | 2 +- solr/maintainer.md | 2 +- 4 files changed, 14 insertions(+), 5 deletions(-) diff --git a/solr/content.md b/solr/content.md index 97ead3d3a492..ea9a57c9a364 100644 --- a/solr/content.md +++ b/solr/content.md @@ -1,8 +1,17 @@ +# NOTE: Not vulnerable to Log4J 2 "Log4shell" + +The Docker images *were* vulnerable to one of a pair of vulnerabilities in Log4J 2 but they are not vulnerable anymore -- you may need to re-pull the image you are using. Unmaintained images (not listed in TAGS, and thus not listed on [Docker Hub](https://hub.docker.com/_/solr?tab=tags), e.g. versions between 7.4 inclusive and 7.7.3 exclusive and some later ones) *are* vulnerable. For supported images prior to 8.11.1, Solr is using a popular technique to mitigate the problem -- setting `log4j2.formatMsgNoLookups`. The Solr maintainers have deemed this adequate based specifically on how Solr uses logging. It won't be adequate for all projects that use Log4J. Scanning software might alert you to the presence of an older Log4J JAR file, however it can't know if your software (Solr) uses the artifacts in a vulnerable way. If you are in doubt of the mitigation being in place, look for `-Dlog4j2.formatMsgNoLookups` in the Args section of Solr's front admin screen. + +References: +* [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228): Solr _was_ vulnerable to this. +* [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046): Solr _never was_ vulnerable to this. +* [Solr's security bulletin](https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228) + # What is Solr? -Solr is highly reliable, scalable and fault tolerant, providing distributed indexing, replication and load-balanced querying, automated failover and recovery, centralized configuration and more. Solr powers the search and navigation features of many of the world's largest internet sites. +Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites. -Learn more on [Apache Solr homepage](http://lucene.apache.org/solr/) and in the [Apache Solr Reference Guide](https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/). +Learn more on [Apache Solr homepage](http://solr.apache.org/) and in the [Apache Solr Reference Guide](https://solr.apache.org/guide/). %%LOGO%% diff --git a/solr/get-help.md b/solr/get-help.md index 31ab6716cf5d..2e19035bf5b5 100644 --- a/solr/get-help.md +++ b/solr/get-help.md @@ -1 +1 @@ -[the Solr Community](https://lucene.apache.org/solr/community.html) +[the Solr Community](https://solr.apache.org/community.html) diff --git a/solr/license.md b/solr/license.md index 7f9d73d4b277..6d1c2be75f90 100644 --- a/solr/license.md +++ b/solr/license.md @@ -2,7 +2,7 @@ Solr is licensed under the [Apache License, Version 2.0](https://www.apache.org/ This repository is also licensed under the [Apache License, Version 2.0](https://www.apache.org/licenses/LICENSE-2.0). -Copyright 2015-2020 The Apache Software Foundation +Copyright 2015-2021 The Apache Software Foundation Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at diff --git a/solr/maintainer.md b/solr/maintainer.md index 091c3b5ad823..c46a37a53d88 100644 --- a/solr/maintainer.md +++ b/solr/maintainer.md @@ -1 +1 @@ -[the Apache Lucene/Solr project](%%GITHUB-REPO%%) +[the Apache Solr project](%%GITHUB-REPO%%) From cce71665d0fb4a6aa5935c267ebde6b5a31c31f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20H=C3=B8ydahl?= Date: Mon, 20 Dec 2021 16:14:35 +0100 Subject: [PATCH 2/6] Comply to markdown standards --- solr/content.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/solr/content.md b/solr/content.md index ea9a57c9a364..bb49d82f136d 100644 --- a/solr/content.md +++ b/solr/content.md @@ -3,9 +3,9 @@ The Docker images *were* vulnerable to one of a pair of vulnerabilities in Log4J 2 but they are not vulnerable anymore -- you may need to re-pull the image you are using. Unmaintained images (not listed in TAGS, and thus not listed on [Docker Hub](https://hub.docker.com/_/solr?tab=tags), e.g. versions between 7.4 inclusive and 7.7.3 exclusive and some later ones) *are* vulnerable. For supported images prior to 8.11.1, Solr is using a popular technique to mitigate the problem -- setting `log4j2.formatMsgNoLookups`. The Solr maintainers have deemed this adequate based specifically on how Solr uses logging. It won't be adequate for all projects that use Log4J. Scanning software might alert you to the presence of an older Log4J JAR file, however it can't know if your software (Solr) uses the artifacts in a vulnerable way. If you are in doubt of the mitigation being in place, look for `-Dlog4j2.formatMsgNoLookups` in the Args section of Solr's front admin screen. References: -* [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228): Solr _was_ vulnerable to this. -* [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046): Solr _never was_ vulnerable to this. -* [Solr's security bulletin](https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228) +- [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228): Solr *was* vulnerable to this. +- [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046): Solr *never was* vulnerable to this. +- [Solr's security bulletin](https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228) # What is Solr? From 23e8f1f429e4f82bd19c69957b7accfddcef9b72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20H=C3=B8ydahl?= Date: Mon, 20 Dec 2021 16:16:42 +0100 Subject: [PATCH 3/6] Try again --- solr/content.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/solr/content.md b/solr/content.md index bb49d82f136d..e6b90fd56a29 100644 --- a/solr/content.md +++ b/solr/content.md @@ -3,9 +3,9 @@ The Docker images *were* vulnerable to one of a pair of vulnerabilities in Log4J 2 but they are not vulnerable anymore -- you may need to re-pull the image you are using. Unmaintained images (not listed in TAGS, and thus not listed on [Docker Hub](https://hub.docker.com/_/solr?tab=tags), e.g. versions between 7.4 inclusive and 7.7.3 exclusive and some later ones) *are* vulnerable. For supported images prior to 8.11.1, Solr is using a popular technique to mitigate the problem -- setting `log4j2.formatMsgNoLookups`. The Solr maintainers have deemed this adequate based specifically on how Solr uses logging. It won't be adequate for all projects that use Log4J. Scanning software might alert you to the presence of an older Log4J JAR file, however it can't know if your software (Solr) uses the artifacts in a vulnerable way. If you are in doubt of the mitigation being in place, look for `-Dlog4j2.formatMsgNoLookups` in the Args section of Solr's front admin screen. References: -- [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228): Solr *was* vulnerable to this. -- [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046): Solr *never was* vulnerable to this. -- [Solr's security bulletin](https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228) +- [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228): Solr *was* vulnerable to this. +- [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046): Solr *never was* vulnerable to this. +- [Solr's security bulletin](https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228) # What is Solr? From 822c83606917bb84437c26fa2e139ac81e47180b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20H=C3=B8ydahl?= Date: Mon, 20 Dec 2021 16:19:01 +0100 Subject: [PATCH 4/6] More md edits --- solr/content.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/solr/content.md b/solr/content.md index e6b90fd56a29..4928792a113a 100644 --- a/solr/content.md +++ b/solr/content.md @@ -1,8 +1,9 @@ # NOTE: Not vulnerable to Log4J 2 "Log4shell" -The Docker images *were* vulnerable to one of a pair of vulnerabilities in Log4J 2 but they are not vulnerable anymore -- you may need to re-pull the image you are using. Unmaintained images (not listed in TAGS, and thus not listed on [Docker Hub](https://hub.docker.com/_/solr?tab=tags), e.g. versions between 7.4 inclusive and 7.7.3 exclusive and some later ones) *are* vulnerable. For supported images prior to 8.11.1, Solr is using a popular technique to mitigate the problem -- setting `log4j2.formatMsgNoLookups`. The Solr maintainers have deemed this adequate based specifically on how Solr uses logging. It won't be adequate for all projects that use Log4J. Scanning software might alert you to the presence of an older Log4J JAR file, however it can't know if your software (Solr) uses the artifacts in a vulnerable way. If you are in doubt of the mitigation being in place, look for `-Dlog4j2.formatMsgNoLookups` in the Args section of Solr's front admin screen. +The Docker images *were* vulnerable to one of a pair of vulnerabilities in Log4J 2 but they are not vulnerable anymore -- you may need to re-pull the image you are using. Unmaintained images (not listed in TAGS, and thus not listed on [Docker Hub](https://hub.docker.com/_/solr?tab=tags), e.g. versions between 7.4 inclusive and 7.7.3 exclusive and some later ones) *are* vulnerable. For supported images prior to 8.11.1, Solr is using a popular technique to mitigate the problem -- setting `log4j2.formatMsgNoLookups`. The Solr maintainers have deemed this adequate based specifically on how Solr uses logging. It won't be adequate for all projects that use Log4J. Scanning software might alert you to the presence of an older Log4J JAR file, however it can't know if your software (Solr) uses the artifacts in a vulnerable way. If you are in doubt of the mitigation being in place, look for `-Dlog4j2.formatMsgNoLookups` in the Args section of Solr's front admin screen. References: + - [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228): Solr *was* vulnerable to this. - [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046): Solr *never was* vulnerable to this. - [Solr's security bulletin](https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228) From 37faf1f7c4b484b05d7d8b01bb64fc0cf49296b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20H=C3=B8ydahl?= Date: Mon, 20 Dec 2021 16:28:31 +0100 Subject: [PATCH 5/6] Update text of log4j vulnerability --- solr/content.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solr/content.md b/solr/content.md index 4928792a113a..b9009364b2ac 100644 --- a/solr/content.md +++ b/solr/content.md @@ -1,6 +1,6 @@ # NOTE: Not vulnerable to Log4J 2 "Log4shell" -The Docker images *were* vulnerable to one of a pair of vulnerabilities in Log4J 2 but they are not vulnerable anymore -- you may need to re-pull the image you are using. Unmaintained images (not listed in TAGS, and thus not listed on [Docker Hub](https://hub.docker.com/_/solr?tab=tags), e.g. versions between 7.4 inclusive and 7.7.3 exclusive and some later ones) *are* vulnerable. For supported images prior to 8.11.1, Solr is using a popular technique to mitigate the problem -- setting `log4j2.formatMsgNoLookups`. The Solr maintainers have deemed this adequate based specifically on how Solr uses logging. It won't be adequate for all projects that use Log4J. Scanning software might alert you to the presence of an older Log4J JAR file, however it can't know if your software (Solr) uses the artifacts in a vulnerable way. If you are in doubt of the mitigation being in place, look for `-Dlog4j2.formatMsgNoLookups` in the Args section of Solr's front admin screen. +Some Docker images *were* vulnerable to one of a pair of vulnerabilities in Log4J 2. But we have mitigated *[supported](https://hub.docker.com/_/solr?tab=tags)* images (and some others) and re-published them. You may need to re-pull the image you are using. For those images prior to 8.11.1, Solr is using a popular technique to mitigate the problem -- setting `log4j2.formatMsgNoLookups`. The Solr maintainers have deemed this adequate based specifically on how Solr uses logging; it won't be adequate for all projects that use Log4J. Scanning software might alert you to the presence of an older Log4J JAR file, however it can't know if your software (Solr) uses the artifacts in a vulnerable way. To validate the mitigation being in place, look for `-Dlog4j2.formatMsgNoLookups` in the Args section of Solr's front admin screen. As of Solr 8.11.1, Solr is using Log4J 2.16.0. References: From e1ec2569c060552cc5dade7bb201a5856f20f8cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20H=C3=B8ydahl?= Date: Mon, 20 Dec 2021 16:29:58 +0100 Subject: [PATCH 6/6] Reformat text --- solr/content.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solr/content.md b/solr/content.md index b9009364b2ac..17db6ee5e3ff 100644 --- a/solr/content.md +++ b/solr/content.md @@ -1,6 +1,6 @@ # NOTE: Not vulnerable to Log4J 2 "Log4shell" -Some Docker images *were* vulnerable to one of a pair of vulnerabilities in Log4J 2. But we have mitigated *[supported](https://hub.docker.com/_/solr?tab=tags)* images (and some others) and re-published them. You may need to re-pull the image you are using. For those images prior to 8.11.1, Solr is using a popular technique to mitigate the problem -- setting `log4j2.formatMsgNoLookups`. The Solr maintainers have deemed this adequate based specifically on how Solr uses logging; it won't be adequate for all projects that use Log4J. Scanning software might alert you to the presence of an older Log4J JAR file, however it can't know if your software (Solr) uses the artifacts in a vulnerable way. To validate the mitigation being in place, look for `-Dlog4j2.formatMsgNoLookups` in the Args section of Solr's front admin screen. As of Solr 8.11.1, Solr is using Log4J 2.16.0. +Some Docker images *were* vulnerable to one of a pair of vulnerabilities in Log4J 2. But we have mitigated *[supported](https://hub.docker.com/_/solr?tab=tags)* images (and some others) and re-published them. You may need to re-pull the image you are using. For those images prior to 8.11.1, Solr is using a popular technique to mitigate the problem -- setting `log4j2.formatMsgNoLookups`. The Solr maintainers have deemed this adequate based specifically on how Solr uses logging; it won't be adequate for all projects that use Log4J. Scanning software might alert you to the presence of an older Log4J JAR file, however it can't know if your software (Solr) uses the artifacts in a vulnerable way. To validate the mitigation being in place, look for `-Dlog4j2.formatMsgNoLookups` in the Args section of Solr's front admin screen. As of Solr 8.11.1, Solr is using Log4J 2.16.0. References: