Salesforce

How to remediate a reported log4j vulnerability in the CM server Solr library?

« Go Back

Information

 
Article TypeSolution Article
Scope/EnvironmentTridion Sites 9.5 (but likely applicable to other product versions)
Symptoms/Context
- Customer security scans have flagged older log4j jar files on CM servers
%TRIDION_HOME%/solr-home/lib/log4j.jar
%TRIDION_HOME%/lib/log4j-over-slf4j.jar
- The installed version of the log4j.jar file is 1.2.14.
- Administrator has requirement to remediate log4j vulnerabilities.
Resolution
As discussed in below KB article, the Tridion Sites search functionality (Solr) does use log4j core, but it is an older version which is not vulnerable.  The log4j 1.x implementation in Content Manager search does not use the JMS appender and thus the customization that can lead to a vulnerable position is not in place. 
Log4j vulnerability impact on Tridion Sites 9.5 and other versions

The log4j-1.2.17.jar jar file (last available version) from below URL can replace the older jar file in the %TRIDION_HOME%/solr-home/lib folder.
https://logging.apache.org/log4j/1.2/download.html
Or, it is safe to update the log4j version in the embedded Tomcat search component to the fixed version of 2.16 or later.   The higher log4j versions are compatible with Tomcat versions 8.5 and higher - https://logging.apache.org/log4j/2.x/log4j-appserver/index.html.
The latest version of log4j-over-slf4j.jar from below URL can replace the older jar file in the %TRIDION_HOME%/lib folder.
https://logging.apache.org/log4j/2.x/download.html

Neither of these jar files are subject to the log4j vulnerability mentioned in KB article, but administrators can safely update the jar files to avoid them being flagged by security scans.
Root Cause
Reference
Attachment 1 
Attachment 2 
Attachment 3 
Attachment 4 
Attachment 5 

Powered by