The Log4Shell (CVE-2021-44228, CVSSv3 10.0) vulnerability

23 views

Skip to first unread message

Dragan Ivanovic

unread,

Dec 14, 2021, 11:10:01 AM12/14/21

to vivo-co...@googlegroups.com

Dear VIVO users,

On December 9th, 2021, a 0-day exploit in the popular Java logging library log4j was discovered that results in Remote Code Execution (RCE) by logging a certain string.

The impact of this vulnerability is quite severe. More about this issue impact (somewhere called Log4Shell) might be found at https://www.randori.com/blog/cve-2021-44228/.

The VIVO core source code is not impacted by this vulnerability, but the Solr platform used by VIVO might be. The list of Solr version affected by this vulnerability and instructions how to mitigate this vulnerability and patch yourself quickly are provided at https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228. If you are using a docker instance of Solr the solution might be this one: https://vivo-project.slack.com/archives/C8RL9L98A/p1639495347144900?thread_ts=1639428593.142600&cid=C8RL9L98A.

Sincerely,

Dragan Ivanovic

The VIVO tech lead

Reply all

Reply to author

Forward

0 new messages