Fixing Apache Log4J Vulnerability for Sitecore with Solr - CVE-2021–44228

The issue

If you use any Log4J version from 2.0-beta9 to 2.14.1, then you need to patch it. This vulnerability severity was classified as Critical.

You don’t need to patch it if you are using any version after 8.11.1.

This vulnerability allows malicious actors to execute payloads on the vulnerable machines. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

More information about the CVE:

The Solution

The solution is fairly simple, just edit solr.in.cmd file to include the following parameter:

SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true"

You can also run the following script to fix that:

This will add the mentioned line to solr.in.cmd and restarts solr service.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store