Introduction

Log4J Security Alert addresses CVE-2021-44228, a remote code execution vulnerability in Apache Log4j. It is remotely exploitable without authentication, attackers can remotely run any code to gain access to all data on the affected machine. It also allows them to delete or encrypt all files on the affected machine and store them for a ransom demand. This potentially makes it a target for anything that uses a vulnerable version of Log4j. In most of the Sitecore SOLR servers will be internal only but the security team scans would flag them and its always safe to be patched.

Sitecore
Security Bulletins - Security Bulletin SC2021-004-511605

SOLR
Solr™ Security News - Apache Solr

MSFT
Microsoft’s Response to CVE-2021-44228 Apache Log4j 2 – Microsoft Security Response Center

Log4J
https://logging.apache.org/log4j/2.x/security.html

SearchStax
https://www.searchstax.com/blog/how-searchstax-is-handling-cve-2021-44228-log4j-vulnerability/

Sitecore

Sitecore is not directly affected, but the SOLR instance that is being used for search is affected.

Affected

Sitecore 9.2 and above are affected. Installing a new instance we are expected to patch it.

Not Affected

Sitecore 9.1 and below
SearchStax hosted SOLR
Coveo Search

Mitigation

Best option is to upgrade to SOLR 8.11.1 or greater but Sitecore has strict version compatiblity requirement with SOLR and at the time of writing 10.2 uses SOLR 8.8.2
There are multiple options only two can be used with Sitecore SOLR.

Option 1: Manually update the Log4J runtime

I will walk through the steps for a standalone SOLR instance for Sitecore 10.2 with SOLR 8.8.2. It should be similar for other version. Test the process on your dev instance and ensure it works as expected.

Download the patched version for updating and extract it to a folder
https://archive.apache.org/dist/logging/log4j/2.17.1/apache-log4j-2.17.1-bin.zip

Stop the SOLR Service (Open run prompt and type services.msc)

Backup the SOLR folder from your installation location in my case it is c:\solr

Delete the older version log4j files in the following locations and replace with the new version that we downloaded
c:\solr\solr-8.8.2\server\lib\ext

c:\solr\solr-8.8.2\contrib\prometheus-exporter\lib

Start the service and check if SOLR starts and working as expected.Ensure you do some search in Sitecore content editor also monitor SOLR logs.

Option 2: Edit solr.in.cmd file

Stop the SOLR Service (Open run prompt and type services.msc)

Backup the SOLR folder from your installation location in my case it is c:\solr

Navigate to the SOLR installation folder and edit solr.in.cmd file to include: set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true

Reference:
https://www.prplbx.com/resources/blog/log4j/

Photo by Markus Spiske on Unsplash