WELCOME TO THE COMMUNITY
find what you are looking for or ask a new question
Home > [SECURITY] Apache Solr affected by Apache Log4J CVE-2021-44228

[SECURITY] Apache Solr affected by Apache Log4J CVE-2021-44228

13.12.2021

Due to the discovery of the CVE-2021-44228 vulnerability in Apache Log4j2 which is used in Apache Solr, it is necessary to take countermeasures that will eliminate any potential risk.

As described here: https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228, the vulnerability applies to all versions of Apache Solr using the Log4j2 library. The page lists a number of solutions that will eliminate the problem.

One of these solutions involves manually updating the log4j2 component to version 2.16.0 (or higher). Download Apache Log4j 2 binary (zip) from here: https://logging.apache.org/log4j/2.x/download.html

At the time of creating this article, the latest version is 2.16.0 (and this version will be used in the manual). 

How to manually replace log4j2 files

In this example, the search component is installed on disk D: in the default folder, on a machine available under DNS name solserver.

  1. Download Apache Log4j 2 binary (zip) from https://logging.apache.org/log4j/2.x/download.html
  2. Stop Webcon BPS Search Service

  3. Delete the following files from folder D:Program FilesWEBCONWEBCON BPS Search ServerSearch ClusterSolrcontribprometheus-exporterlib
    - log4j-api-2.13.2.jar
    - log4j-core-2.13.2.jar
    - log4j-slf4j-impl-2.13.2.jar

  4. Delete the following files from folder D:Program FilesWEBCONWEBCON BPS Search ServerSearch ClusterSolrserverlibext
    - log4j-1.2-api-2.13.2.jar
    - log4j-api-2.13.2.jar
    - log4j-core-2.13.2.jar
    - log4j-slf4j-impl-2.13.2.jar
    - log4j-web-2.13.2.jar
  5. Copy the following files from the downloaded archive:
    - log4j-api-2.16.0.jar
    - log4j-core-2.16.0.jar
    - log4j-slf4j-impl-2.16.0.jar
  6. Paste the copied files in folder D:Program FilesWEBCONWEBCON BPS Search ServerSearch ClusterSolrcontribprometheus-exporterlib
  7. Copy the following files from the downloaded archive
    - log4j-1.2-api-2.16.0.jar
    - log4j-api-2.16.0.jar
    - log4j-core-2.16.0.jar
    - log4j-slf4j-impl-2.16.0.jar
    - log4j-web-2.16.0.jar
  8. Paste the copied files in folder D:Program FilesWEBCONWEBCON BPS Search ServerSearch ClusterSolrserverlibext
  9. Start Webcon BPS Search Service
  10. Verify whether the search server functions correctly by e.g. opening the following in a browser:
    http://solrserver:8983
    http://solrserver:8983/solr/BPS_Activities/query?q=*&rows=1
    http://solrserver:8983/solr/BPS_Elements/query?q=*&rows=1
Menu
Czerwone Maki 87
30-392 Krakow, Poland
office@webcon.com
+48 12 443 13 90