By this time you might have already heard/read about Apache Solr Log4J Security Vulnerability: https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228
I’ve been also gathering information around it, As I was curious to know more about this and the impact of the same on Sitecore applications. I’ve gathered some basic information. Which thought to share with you as well!
Note: I’m not a security expert and don’t have a full visibility into your environment/implementation/setup. So, please take this advice as a guiding principle. But please work with your internal teams and follow their recommendations
Let’s delve into this further:
What is the apache-log4j-cve-2021-44228 security vulnerability?
The following excerpt from the Official Page describes an issue:
Would like to know more about this? Then please use the following image, it explains it nicely and also provides the solution to fix it (Which we will discuss in the next section)
Couldn’t resist sharing the following Image as it really says “1000+ words!” in this situation:
Have we been impacted by this Security Vulnerability?
- Versions Affected: 7.4.0 to 7.7.3, 8.0.0 to 8.11.0 : If your Solr version falls in to given list, then you are impacted by this issue. (Applies to : 9.2.0 (Initial Release) +)
- Solr public access :
- Update#4 : As per recent Twitter comments from Nick Wesselman and Per Manniche Bering, I learned that this issue can also impact your Solr if it’s not public. Solr logs queries, and attackers can try to provide malicious queries via user input.
If your Solr is not publicly accessible, Then you won’t be impacted by this issue. (As per my understanding and talking to Solr experts in my network. But if you think otherwise, please comment).This is usually the case with Sitecore applications as internal apps only needs to communicate with Solr and Solr should not be publicly accessible. In case, your team needs to troubleshoot Solr queries via Solr Admin Panel then it should be done using following ways- Your Solr VMs should be secured by Azure Bastion : https://azure.microsoft.com/en-us/services/azure-bastion/#overview
- IP Whitelisting should be used and Solr should be behind login
- What If we are using SearchStax? :
I haven’t seen any official information yet from SearchStax. But I will update this post. If I come across any update from them. But you can always reach out to them and find out details.- https://www.searchstax.com/blog/how-searchstax-is-handling-cve-2021-44228-log4j-vulnerability – SearchStax has already got you covered, please review this post for more information. [Thanks Sameer for the blog post link!]
- If you’ve followed https://www.searchstax.com/docs/security/ especially IP Filtering then you should be covered. But as I mentioned earlier, good to double check.
How to fix this for my Sitecore Application?
Update #2: Sitecore KB Article (Covers steps for containerized environments): https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1001391
Update #5: If you are using Cloudflare WAF and you need more time to update your systems then you can also use Cloudflare WAF rules to protect your app from this vulnerability: https://blog.cloudflare.com/log4j-cloudflare-logs-mitigation/ (Note: This is a temporary solution)
Manual
https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 – Official page has listed a few options to fix this. As you know in the Sitecore world, You can’t upgrade to Solr if it’s not compatible with Sitecore, and in that case, Option#3 or #4 makes sense! (Highlighted in yellow below):
But if you have multiple Solr running (Solr + Zookeeper in ensemble mode) then it might be monotonous for you to make this change. In this case, the Automated approach is right for you!
Automated
Alex van Wolferen has already done this for you (Thanks!): https://www.alexvanwolferen.nl/sitecore-solr-fix-log4j-cve-2021-44228/
You can take his code and modify it as per your need: https://github.com/avwolferen/Sitecore.Solr-log4j-mitigation
Hope this post helps you answer a lot of questions you’ve about this vulnerability. If you’ve some new learnings, please drop your learnings in a comment, and will update the post!
I will keep this post updated as I learn more about it.
Verion History
- 13-Dec-2021 1 PM CT : Updated SearchStax Section with blog post link from SearchStax
- 13-Dec-2021 2.32 PM CT: Added Sitecore KB Article Link
- 13-Dec-2021 10.27 PM CT : Image Credits added
- 14-Dec-2021 07.37 AM CT : Update public solr access section as per twitter comments
- 14-Dec-2021 11.16 AM CT : Added Cloudflare WAF blog link