How to mitigate the Log4Shell vulnerability in Apache Solr

There is a critical vulnerability in Log4J called Log4Shell (CVE-2021–44228) which allows attackers to execute arbitrary code. Apache Solr is affected by this vulnerability because Log4J is used as logging framework.

We want to give some practical guidance on how to mitigate the Log4Shell vulnerability. These hints are based on the official Apache Solr News.

Fix Solr 7.4–8.11

All versions of Solr are affected that use the Log4J library in version 2.x. This version has been included since Solr 7.4.0. The easiest fix is to add an environment variable or JVM parameter when starting Solr.

Manually Installed Solr

If Solr is installed manually on a server edit the file

/etc/default/solr.in.sh

and add the JVM parameter to the Solr options.

SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"

Restart Solr to apply the fix.

Running Solr as Docker

When running Solr as docker image the needed option can be passed via environment variable when running the Docker image:

docker run -e LOG4J_FORMAT_MSG_NO_LOOKUPS=true -p8983:8983 [YOUR_SOLR_DOCKER_IMAGE]

Fix Solr prior to 7.4

Solr releases prior to 7.4 uses Log4J 1.x. Those versions are only affected by the Log4Shell vulnerability if non-default logging configurations are used that include the JMS Appender. Please read this discussion thread about fixing the issue in versions lower than 7.4.

If the default logging settings are used then your Solr instance is not affected.

---

Once Apache Solr releases 8.11.1, you should consider to upgrade to that version.