Home / [SECURITY] Apache Solr affected by Apache Log4J CVE-2021-44228

[SECURITY] Apache Solr affected by Apache Log4J CVE-2021-44228

13.12.2021

Due to the discovery of the CVE-2021-44228 vulnerability in Apache Log4j2 which is used in Apache Solr, it is necessary to take countermeasures that will eliminate any potential risk.

As described here: https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228, the vulnerability applies to all versions of Apache Solr using the Log4j2 library. The page lists a number of solutions that will eliminate the problem.

One of these solutions involves manually updating the log4j2 component to version 2.16.0 (or higher). Download Apache Log4j 2 binary (zip) from here: https://logging.apache.org/log4j/2.x/download.html

At the time of creating this article, the latest version is 2.16.0 (and this version will be used in the manual).

How to manually replace log4j2 files

In this example, the search component is installed on disk D: in the default folder, on a machine available under DNS name solserver.

Download Apache Log4j 2 binary (zip) from https://logging.apache.org/log4j/2.x/download.html
Stop Webcon BPS Search Service
Delete the following files from folder D:\Program Files\WEBCON\WEBCON BPS Search Server\Search Cluster\Solr\contrib\prometheus-exporter\lib\
- log4j-api-2.13.2.jar
- log4j-core-2.13.2.jar
- log4j-slf4j-impl-2.13.2.jar
Delete the following files from folder D:\Program Files\WEBCON\WEBCON BPS Search Server\Search Cluster\Solr\server\lib\ext\
- log4j-1.2-api-2.13.2.jar
- log4j-api-2.13.2.jar
- log4j-core-2.13.2.jar
- log4j-slf4j-impl-2.13.2.jar
- log4j-web-2.13.2.jar
Copy the following files from the downloaded archive:
- log4j-api-2.16.0.jar
- log4j-core-2.16.0.jar
- log4j-slf4j-impl-2.16.0.jar
Paste the copied files in folder D:\Program Files\WEBCON\WEBCON BPS Search Server\Search Cluster\Solr\contrib\prometheus-exporter\lib\
Copy the following files from the downloaded archive
- log4j-1.2-api-2.16.0.jar
- log4j-api-2.16.0.jar
- log4j-core-2.16.0.jar
- log4j-slf4j-impl-2.16.0.jar
- log4j-web-2.16.0.jar
Paste the copied files in folder D:\Program Files\WEBCON\WEBCON BPS Search Server\Search Cluster\Solr\server\lib\ext\
Start Webcon BPS Search Service
Verify whether the search server functions correctly by e.g. opening the following in a browser:
- http://solrserver:8983
- http://solrserver:8983/solr/BPS_Activities/query?q=*&rows=1
- http://solrserver:8983/solr/BPS_Elements/query?q=*&rows=1

WEBCON sp. z o.o.

Babinskiego 69
30-393 Krakow
Poland

office@webcon.com
+48 12 443 13 90

created by

Our website uses cookies to better meet your requirements. Proper configuration of browser options allows you to block or remove cookies but can also cause the site to not function properly or even at all. By continuing to use the site, with no change to your browser settings, you agree to the use of cookies. Read our privacy policy to get more information.