We are aware of a vulnerability that’s been exposed within log4j which is only utilized in IPV Curator systems by Apache Solr.
IPV also uses Log4Net, which is a Microsoft port of the Apache code and does not expose this vulnerability.
Please rest assured that the use of Solr in Curator is not exposed publicly on Curator systems. However, we do understand that the vulnerability is concerning so we’re recommending a patch to further mitigate any risk. Of the three vulnerabilities, mitigation below removes the vulnerability CVE-2021-44228 from Solr, while Apache Solr releases are not affected by the log4j follow-up vulnerabilities CVE-2021-45046 and CVE-2021-45105.
For the mitigation, you will need to preferably deploy the HotFix to Curator 3.3.1 - Curator Server version 4.0.1.151.
Alternatively, a manual mitigation can be applied as follows:
- Edit the Solr command file found in [Curator Server InstallationPath]\Server\Solr\bin\solr.in.cmd by adding the following line:
set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true - Following this, restart Curator Server.
- To confirm the setting has been changed successfully, check the Solr Admin page on your Curator Server machine (located at http://localhost:8983/solr/#/ ) to find the following under the JVM Args heading: “-Dlog4j2.formatMsgNoLookups=true”
These two methods offer complete mitigation of the log4j vulnerabilities problem as declared by Solr. We will continue to monitor the situation and keep our partners and customers informed. For a full release by Solr, please refer to the following link: https://solr.apache.org/news.html#apache-solr-affected-by-apache-log4j-cve-2021-44228