Upgrade Apache Solr 8.10.1 log4j 2.14.1 version to 2.15 to address critical vulnerability

java log4j solr

Recently a critical log4j vulnerability was discovered.

I want to upgrade the log4j as used by my current Solr instance, so I checked here. However, I don't see a log4j.properties file in "/server/resources/" folder. All I see there is:

  • jetty-logging.properties
  • log4j2.xml
  • log4j2-console.xml

None of these files contain a version. So to upgrade, is it safe to download the latest version of log4j and overwrite the existing jars in folder "\solr-8.10.1\server\lib\ext", or what are the recommended steps to upgrade?


The link you're pointing to is for an older version of Solr (6.6 instead of 8.10.1). The correct version is https://solr.apache.org/guide/8_10/configuring-logging.html where it mentions using log4j 2.

The file log4j2.xml (and even `log4j.properties for that matter) configure the logging itself, not the version of log4j. So updating that file is irrelevant.

Here's what the project page recommends:

2021-12-10, Apache Solr affected by Apache Log4J CVE-2021-44228

...

Description: Apache Solr releases prior to 8.11.1 were using a bundled version of the Apache Log4J library vulnerable to RCE. For full impact and additional detail consult the Log4J security page.

...

Mitigation: Any of the following are enough to prevent this vulnerability for Solr servers:

  • Upgrade to Solr 8.11.1 or greater (when available), which will include an updated version of the log4j2 dependency.
  • Manually update the version of log4j2 on your runtime classpath and restart your Solr application.
  • (Linux/MacOS) Edit your solr.in.sh file to include: SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"
  • (Windows) Edit your solr.in.cmd file to include: set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true
  • Follow any of the other mitgations listed at https://logging.apache.org/log4j/2.x/security.html

What you're proposing (overwrite the existing jars in folder "\solr-8.10.1\server\lib\ext") seems like the second approach, so it should probably work fine. Just make sure this is the correct place that contains the log4j dependency.


Replace all the jars with their corresponding 2.15 version in lib/ext and restart solr. Seem to work.

  1. log4j-api-2.11.0.jar
  2. log4j-core-2.11.0.jar
  3. log4j-1.2-api-2.11.0.jar
  4. log4j-slf4j-impl-2.11.0.jar

I updated all of my log4j jars from 2.11 to 2.15 in my /opt/solr-7.4.0/server/lib/ext folder and I am not seeing any issues. Your approach seems to work.


With the new CVE SOLR_OPTS is not enough. Upgrading to 2.17 seems like the best option. Here's what worked for us.

sudo find / -name "*log4j*"
cd /app/solr/solr-7.7.0/server/lib/ext/
sudo curl https://dlcdn.apache.org/logging/log4j/2.17.0/apache-log4j-2.17.0-bin.zip --output apache-log4j-2.17.0-bin.zip
sudo unzip apache-log4j-2.17.0-bin.zip
sudo rm log4j-*-2.11*
sudo cp apache-log4j-2.17.0-bin/{log4j-1.2-api-2.17.0.jar,log4j-api-2.17.0.jar,log4j-core-2.17.0.jar,log4j-slf4j-impl-2.17.0.jar} ./
sudo chown solr:solrgrp *
sudo chmod 755 *
sudo service solr restart

cd /app/solr/solr-7.7.0/contrib/prometheus-exporter/lib/
sudo rm log4j-*-2.11*
sudo cp /app/solr/solr-7.7.0/server/lib/ext/apache-log4j-2.17.0-bin/{log4j-api-2.17.0.jar,log4j-core-2.17.0.jar,log4j-slf4j-impl-2.17.0.jar} ./
sudo chown solr:solrgrp *
sudo chmod 755 *
sudo service solr restart

Related

Jest setup "SyntaxError: Unexpected token export"
How to align horizontal icon and text in MUI
Rails, Ruby, how to sort an Array?
Xcode 6.4 showing duplicate 'Simulators' with Unique Id
Adding a line break to a UITextView
Installing PyCrypto on Ubuntu - fatal error on build
javascript - replace dash (hyphen) with a space
Sublime Text 2: How to get scss and Less files to have color?
How to install Mono on macOS so mono works in terminal?
`vsync` property in TabController constructor
jQuery, get ID of each element in a class using .each?
javascript url-safe filename-safe string