Environment

• EDR Server: 7.3.0 to 7.6.0

Objective

• CVE-2021-44228
• CVE-2021-45046
• CVE-2021-45105
• CVE-2021-44832

Resolution

1. Open a terminal/ssh session to the backend. 
2. Take a backup of the solr.in.sh file. This will be under /etc/cb/solr/ or /etc/cb/solr6/ directory
3. Run the following command(s) on all EDR servers (primary and minion if clustered):
   • 7.3.0 - 7.5.2 (If you followed the original mitigation steps, this command does not need to be applied)  CVE-2021-44228

     sudo /bin/sh -c 'solr6=/etc/cb/solr6/solr.in.sh; solr=/etc/cb/solr/solr.in.sh; if [ -f $solr6 ]; then if ! grep -q "formatMsgNoLookups" $solr6; then echo SOLR_OPTS=\"\$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true\" >> $solr6; fi; elif [ -f $solr ]; then if ! grep -q "formatMsgNoLookups" $solr; then echo SOLR_OPTS=\"\$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true\" >> $solr; fi; fi'

   • 7.3.0 - 7.6.0:  To fix CVE-2021-45105, please follow the below instructions to patch Log4j to version 2.17.1, the files include the removal of JndiLookup.class for CVE-2021-45046 and CVE-2021-44832
     1. Take a backup of the current files

        sudo tar -cvzf /usr/share/cb/solr/server/lib/ext/log4j_backup.tar.gz /usr/share/cb/solr/server/lib/ext/log4j-* --remove-files

     2. Copy the log4j_2_17.tar.gz on the primary (and minions if clustered) and extract them. Download here: log4j_2_17_1.tar.gz 

        sudo tar -xvf log4j_2_17_1.tar.gz -C /usr/share/cb/solr/server/lib/ext/

4. Restart the EDR services: How to Restart Services

Additional Notes

• No, 7.6.1 includes Log4j version 2.17.0 with the fix, this version also includes both previous mitigations

• Older versions used log4j versions 1.x and therefore are not part of the vulnerability

• The first command disable the formatMsgNoLookups feature that is vulnerable to exploit. This feature allows for potential for an attacker to gain access to the machine
• It will check for proper folder location and add the config to the solr.in.sh file. If you added this previously or are on 7.6.0 it is not needed. The command did change slightly to account for not duplicating the config by accident if run again

• Patches Log4j to 2.17.1 for Solr, the JndiLookup.class has been removed from the library of the included files. 

• Please see step 4. This should only be done for 7.3.0 to 7.6.0. Updating Log4j on any previous versions will cause issues with the Solr service
• Do not update via yum as it will not update our package and will install other dependencies on the machine we do not use. 

• Hosted EDR was updated to 7.6.0 with the first mitigation recommendation on 12/11 (CVE-2021-44228) and again on 12/15 to cover (CVE-2021-45046). On 12/23 the server was updated to 7.6.1 with Log4j version 2.17.0 to cover (CVE-2021-45105) and JNDILookup class was removed and covers (CVE-2021-44832)

• HEDR has been updated to 7.6.1 with Log4j version 2.17.0
• 7.6.1 with Log4j version is releasing 12/23

• 7.6.1 and replacement 2.17.0 included a version with JNDILookup class removed. The product does not use the JDBC Appender and does not work without the JNDILookup class
• If you have already installed 7.6.1 or followed the instructions for 2.17.0, you do not need to update to 2.17.1 unless your internal security practices require this version. 

• 41f0ed7f3ae586655068186cebf8d433  log4j_2_17_1.tar.gz
• 937a348ff730ec6ed54ef28576808ad3  log4j-1.2-api-2.17.1.jar
• 7aae1e012aef802cbc2077f5267ac002  log4j-api-2.17.1.jar
• 180ae8bb382f65d5d8cbd0e66145593e  log4j-core-2.17.1.jar
• edbf8a5cea0bc0cd0ada9c3c2cb78d50  log4j-slf4j-impl-2.17.1.jar
• 89a3991435dcfbc4a26fc432a776f12c  log4j-web-2.17.1.jar
   

• Do not modify the commands. These have been confirmed and tested for the environments listed

Related Content