SOLR-15843 Update Log4J to 2.15 (#454)

Update Log4J to 2.15 and add examples to solr.in.*
apache · Dec 10, 2021 · fa58743 · fa58743
1 parent 82f9d47
commit fa58743
Show file tree

Hide file tree

Showing 17 changed files with 22 additions and 12 deletions.
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
@@ -476,6 +476,8 @@ Bug Fixes
 
 * SOLR-8319: Fix NPE in pivot facets, add non-Analyzed query method in FieldType. (Houston Putman, Isabelle Giguere)
 
+* SOLR-15843: Update Log4J to 2.15 (Mike Drob)
+
 ==================  8.11.0 ==================
 
 Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.

diff --git a/solr/bin/solr.in.cmd b/solr/bin/solr.in.cmd
@@ -213,4 +213,8 @@ REM set SOLR_ADMIN_UI_DISABLED=false
 REM Solr is by default allowed to read and write data from/to SOLR_HOME and a few other well defined locations
 REM Sometimes it may be necessary to place a core or a backup on a different location or a different disk
 REM This parameter lets you specify file system path(s) to explicitly allow. The special value of '*' will allow any path
-REM SOLR_OPTS="%SOLR_OPTS% -Dsolr.allowPaths=D:\,E:\other\path"
+REM set SOLR_OPTS=%SOLR_OPTS% -Dsolr.allowPaths=D:\,E:\other\path
+
+REM Some previous versions of Solr use an outdated log4j dependency. If you are unable to use at least log4j version 2.15.0
+REM then enable the following setting to address CVE-2021-44228
+REM set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true
diff --git a/solr/bin/solr.in.sh b/solr/bin/solr.in.sh
@@ -258,3 +258,7 @@
 # You can test this behaviour by setting SOLR_HEAP=25m
 #SOLR_HEAP_DUMP=true
 #SOLR_HEAP_DUMP_DIR=/var/log/dumps
+
+# Some previous versions of Solr use an outdated log4j dependency. If you are unable to use at least log4j version 2.15.0
+# then enable the following setting to address CVE-2021-44228
+# SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"
diff --git a/solr/licenses/log4j-1.2-api-2.14.1.jar.sha1 b/solr/licenses/log4j-1.2-api-2.14.1.jar.sha1
diff --git a/solr/licenses/log4j-1.2-api-2.15.0.jar.sha1 b/solr/licenses/log4j-1.2-api-2.15.0.jar.sha1
@@ -0,0 +1 @@
+bc960fe2acbe6f3952011f88a771de18301534e7
diff --git a/solr/licenses/log4j-api-2.14.1.jar.sha1 b/solr/licenses/log4j-api-2.14.1.jar.sha1
diff --git a/solr/licenses/log4j-api-2.15.0.jar.sha1 b/solr/licenses/log4j-api-2.15.0.jar.sha1
@@ -0,0 +1 @@
+4a5aa7e55a29391c6f66e0b259d5189aa11e45d0
diff --git a/solr/licenses/log4j-core-2.14.1.jar.sha1 b/solr/licenses/log4j-core-2.14.1.jar.sha1
diff --git a/solr/licenses/log4j-core-2.15.0.jar.sha1 b/solr/licenses/log4j-core-2.15.0.jar.sha1
@@ -0,0 +1 @@
+ba55c13d7ac2fd44df9cc8074455719a33f375b9
diff --git a/solr/licenses/log4j-layout-template-json-2.14.1.jar.sha1 b/solr/licenses/log4j-layout-template-json-2.14.1.jar.sha1
diff --git a/solr/licenses/log4j-layout-template-json-2.15.0.jar.sha1 b/solr/licenses/log4j-layout-template-json-2.15.0.jar.sha1
@@ -0,0 +1 @@
+295580f2a67d6af4e276dd415dc3d78cf0167208
diff --git a/solr/licenses/log4j-slf4j-impl-2.14.1.jar.sha1 b/solr/licenses/log4j-slf4j-impl-2.14.1.jar.sha1
diff --git a/solr/licenses/log4j-slf4j-impl-2.15.0.jar.sha1 b/solr/licenses/log4j-slf4j-impl-2.15.0.jar.sha1
@@ -0,0 +1 @@
+8bb417869ab3baa19f2fc70e6d776d041f0a8ebc
diff --git a/solr/licenses/log4j-web-2.14.1.jar.sha1 b/solr/licenses/log4j-web-2.14.1.jar.sha1
diff --git a/solr/licenses/log4j-web-2.15.0.jar.sha1 b/solr/licenses/log4j-web-2.15.0.jar.sha1
@@ -0,0 +1 @@
+0e2b1512cb85e38326844bdb707b6673e0e70eeb
diff --git a/versions.lock b/versions.lock
@@ -127,9 +127,9 @@ org.apache.kerby:kerby-asn1:1.0.1 (1 constraints: fd0be9f4)
 org.apache.kerby:kerby-config:1.0.1 (4 constraints: 4d3182b9)
 org.apache.kerby:kerby-pkix:1.0.1 (1 constraints: 710bfce4)
 org.apache.kerby:kerby-util:1.0.1 (2 constraints: 6518bdb6)
-org.apache.logging.log4j:log4j-api:2.14.1 (4 constraints: d033fab0)
-org.apache.logging.log4j:log4j-core:2.14.1 (2 constraints: 0d16b624)
-org.apache.logging.log4j:log4j-slf4j-impl:2.14.1 (1 constraints: 3a053c3b)
+org.apache.logging.log4j:log4j-api:2.15.0 (4 constraints: d03302b1)
+org.apache.logging.log4j:log4j-core:2.15.0 (2 constraints: 0d16ba24)
+org.apache.logging.log4j:log4j-slf4j-impl:2.15.0 (1 constraints: 3a053e3b)
 org.apache.lucene:lucene-analysis-common:9.0.0 (10 constraints: ac9e842f)
 org.apache.lucene:lucene-analysis-icu:9.0.0 (1 constraints: 0b051836)
 org.apache.lucene:lucene-analysis-kuromoji:9.0.0 (1 constraints: 0b051836)
@@ -317,7 +317,7 @@ org.apache.kerby:kerb-common:1.0.1 (2 constraints: a51841ca)
 org.apache.kerby:kerb-identity:1.0.1 (1 constraints: 5f0cb602)
 org.apache.kerby:kerb-server:1.0.1 (1 constraints: d10b65f2)
 org.apache.kerby:kerb-simplekdc:1.0.1 (1 constraints: dc0d7e3e)
-org.apache.logging.log4j:log4j-1.2-api:2.14.1 (1 constraints: 3a053c3b)
+org.apache.logging.log4j:log4j-1.2-api:2.15.0 (1 constraints: 3a053e3b)
 org.asciidoctor:asciidoctorj:1.6.2 (1 constraints: 0b050436)
 org.asciidoctor:asciidoctorj-api:1.6.2 (1 constraints: e30cfb0d)
 org.freemarker:freemarker:2.3.31 (1 constraints: ef0e9271)

diff --git a/versions.props b/versions.props
@@ -88,7 +88,7 @@ org.apache.httpcomponents:httpcore=4.4.13
 org.apache.httpcomponents:httpmime=4.5.10
 org.apache.james:apache-mime4j*=0.8.3
 org.apache.kerby:*=1.0.1
-org.apache.logging.log4j:*=2.14.1
+org.apache.logging.log4j:*=2.15.0
 org.apache.lucene:*=9.0.0
 org.apache.opennlp:opennlp-tools=1.9.1
 org.apache.pdfbox:*=2.0.24