A security vulnerability has been discovered that affects Apache Log4j versions 2.0-beta9 to 2.14.1 (affects the solr version packaged with frevvo v10.0.x - v10.1.x.). Please see this CISA article for more details about the vulnerability. frevvo's solr version will be upgraded in a future release (TIP-31067).
Only solr server is affected by this vulnerability, not the frevvo application.
This vulnerability also impacts the solr version packaged with frevvo v9.0.x. Customers on v9 may use the following mitigation actions, however v9 has reached End of Life and has not been tested with this change. We recommend customers running v9 consider upgrading to the latest On Premise Version.
To the best of our knowledge, this vulnerability does not impact customers running frevvo v7.4 and earlier.
On Premise Customers - Action Required
On Premise Customers running v10.0.x - v10.1.x must mitigate this vulnerability by following these steps.
- Stop frevvo.
- Stop solr.
- Edit the file solr.in.cmd
Under REM Set the thread stack size, add the property
set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true
- Edit the file solr.in.sh
- Under # Set the thread stack size, add the property
Save the file.
- Restart frevvo.
We appreciate you trusting frevvo with your mission critical applications. It is our goal to always provide you with the highest quality of service possible.
frevvo Customer Support