Solr 8.11.1 upgrade. Explain Log4J situation. (#401)

docker-solr · Dec 17, 2021 · b30202a · b30202a
1 parent d9aceb6
commit b30202a
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 9 deletions.
diff --git a/8.11/Dockerfile b/8.11/Dockerfile
@@ -4,9 +4,9 @@ FROM openjdk:11-jre
 LABEL maintainer="The Apache Lucene/Solr Project"
 LABEL repository="https://github.com/docker-solr/docker-solr"
 
-ARG SOLR_VERSION="8.11.0"
-ARG SOLR_SHA512="fa766775a70ee636792149baa20a541fa043a7579d499324072965f0c241600b75afe940d2b6c90cafb4b14b9c5f1c2a7bd0844c7d198ba9a36f09e427262dd2"
-ARG SOLR_KEYS="E6E21FFCDCEA14C95910EA65051A0FAF76BC6507"
+ARG SOLR_VERSION="8.11.1"
+ARG SOLR_SHA512="4893f836aec84b03d7bfe574e59e305c03b5ede4a48020034fbe81440b8feee79e55fd9ead230e5b89b3f25124e9b56c1ddc4bb5c7f631cf4e846b9cab5f9a45"
+ARG SOLR_KEYS="2CECBFBA181601547B654B9FFA81AC8A490F538E"
 # If specified, this will override SOLR_DOWNLOAD_SERVER and all ASF mirrors. Typically used downstream for custom builds
 ARG SOLR_DOWNLOAD_URL
 

diff --git a/8.11/slim/Dockerfile b/8.11/slim/Dockerfile
@@ -4,9 +4,9 @@ FROM openjdk:11-jre-slim
 LABEL maintainer="The Apache Lucene/Solr Project"
 LABEL repository="https://github.com/docker-solr/docker-solr"
 
-ARG SOLR_VERSION="8.11.0"
-ARG SOLR_SHA512="fa766775a70ee636792149baa20a541fa043a7579d499324072965f0c241600b75afe940d2b6c90cafb4b14b9c5f1c2a7bd0844c7d198ba9a36f09e427262dd2"
-ARG SOLR_KEYS="E6E21FFCDCEA14C95910EA65051A0FAF76BC6507"
+ARG SOLR_VERSION="8.11.1"
+ARG SOLR_SHA512="4893f836aec84b03d7bfe574e59e305c03b5ede4a48020034fbe81440b8feee79e55fd9ead230e5b89b3f25124e9b56c1ddc4bb5c7f631cf4e846b9cab5f9a45"
+ARG SOLR_KEYS="2CECBFBA181601547B654B9FFA81AC8A490F538E"
 # If specified, this will override SOLR_DOWNLOAD_SERVER and all ASF mirrors. Typically used downstream for custom builds
 ARG SOLR_DOWNLOAD_URL
 

diff --git a/README.md b/README.md
@@ -1,7 +1,17 @@
+# NOTE: Not vulnerable to Log4J 2 "Log4shell"
+
+The Docker images *were* vulnerable to one of a pair of vulnerabilities in Log4J 2 but they are not vulnerable anymore -- you may need to re-pull the image you are using.  For images prior to 8.11.1, Solr is using a popular technique to do this -- setting `log4j2.formatMsgNoLookups`.  The Solr maintainers have deemed this adequate based specifically on how Solr uses logging.  It won't be adequate for all projects that use Log4J.  Scanning software might alert you to the presence of an older Log4J JAR file, however it can't know if your software (Solr) uses the artifacts in a vulnerable way.
+
+References:
+* [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228): Solr _was_ vulnerable to this.
+* [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046): Solr _never was_ vulnerable to this.
+* [Solr's security bulletin](https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228)
+
+
 # Supported tags and respective `Dockerfile` links
 
 See [Docker Hub](https://hub.docker.com/_/solr?tab=tags) for a list of image tags available to pull.
-The currently supported tags can be found in [./TAGS](https://github.com/docker-solr/docker-solr/blob/389e7844c8405605a930fc30cc8029eb6027798e/TAGS).
+The currently supported tags can be found in [./TAGS](https://github.com/docker-solr/docker-solr/blob/389e7844c8405605a930fc30cc8029eb6027798e/TAGS).  Note that the Apache Solr project doesn't actually support any releases older than the current major release series, despite whatever tags are published.
 
 For more information about this image and its history, please see [the relevant manifest file (`library/solr`)](https://github.com/docker-library/official-images/blob/master/library/solr). This image is updated via pull requests to [the `docker-solr/docker-solr` GitHub repo](https://github.com/docker-solr/docker-solr).
 

diff --git a/TAGS b/TAGS
@@ -1,5 +1,5 @@
-8.11:8.11.0:8.11 8 latest
-8.11/slim:8.11.0-slim:8.11-slim 8-slim latest-slim
+8.11:8.11.1:8.11 8 latest
+8.11/slim:8.11.1-slim:8.11-slim 8-slim latest-slim
 8.10:8.10.1:8.10
 8.10/slim:8.10.1-slim:8.10-slim
 8.9:8.9.0:8.9