A security vulnerability has been discovered that affects Apache Log4j versions 2.0-beta9 to 2.14.1 (affects the solr version packaged with frevvo v10.0.x - v10.1.x.). Please see this CISA article for more details about the vulnerability. frevvo's solr version will be upgraded in a future release (TIP-31067).
Only solr server is affected by this vulnerability, not the frevvo application.
This vulnerability also impacts the solr version packaged with frevvo v9.0.x. Customers on v9 may use the following mitigation actions, however v9 has reached End of Life and has not been tested with this change. We recommend customers running v9 consider upgrading to the latest On Premise Version.
To the best of our knowledge, this vulnerability does not impact customers running frevvo v7.4 and earlier.
On Premise Customers - Action Required
On Premise Customers running v10.0.x - v10.1.x must mitigate this vulnerability by following these steps.
- Stop frevvo.
- Stop solr.
-
Open <frevvoinstalldir>/solr/bin/
- Windows
- Edit the file solr.in.cmd
-
Under REM Set the thread stack size, add the property
set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true
-
Linux
- Edit the file solr.in.sh
- Under # Set the thread stack size, add the property
SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"
-
Save the file.
-
Restart solr.
- Restart frevvo.
See this Solr article for additional details on mitigation steps. If you have any questions please contact support@frevvo.com.
We appreciate you trusting frevvo with your mission critical applications. It is our goal to always provide you with the highest quality of service possible.
Thank you,
frevvo Customer Support
Comments
1 comment
This article has been updated with corrected mitigation steps and instructions for customers on v9 and earlier.
Please sign in to leave a comment.