Details
-
Improvement
-
Resolution: Fixed
-
High
-
4.0.0-beta3, 2.5.14, 3.3.12
-
None
Description
In the wake of the log4j vulnerability, though we are not affected, we should look in to upgraded requirements for these Java-related requirements. We have an inconsistency between code and docs, and allow some old versions.
- v1.13 goes EOL in a couple weeks, not much point in spending time on it.
- v2.5
- The doc says we require "Solr 7.7LTS or Solr 8" and "Elasticsearch 7.7" and "Oracle Java/Open JDK 8 or higher"
- While the code installs Solr 6.6.5 by default, this is inconsistent.
- v3.3
- v4
- The master doc says the same as for v3.3.
- We install Solr 7.7 or Elasticsearch 7.7 by default.
Recommendations from vendors
- Log4j: Upgrade to v2.16.0 or later (the earlier v2.15.0 was found to be not enough)
- Solr: 8.11.1 https://solr.apache.org/news.html#apache-solr-affected-by-apache-log4j-cve-2021-44228
- Elasticsearch: Not affected with Java 9+, but anyway: 7.16.1 and 6.8.21 https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
- Java JDK: 9 or newer.
- Platform.sh: https://platform.sh/blog/2021/platformsh-protects-from-apache-log4j/
Recommentation for Ibexa
- We must fix the v2.5 inconsistency, by bumping the installed version.
- We should bump the Java requirement from 8 to 11 LTS. This is fine for our relevant versions of Solr and Elastisearch.
- Can we bump Solr requirements to 8.11.1 which has the updated log4j requirement? (The Elasticsearch info leak issue is solved in Java newer than 8.)
- Where the docs recommend Solr 8.6, we should upgrade this too.
Dependencies requirements
Solr: https://solr.apache.org/guide/8_11/solr-system-requirements.html
Elasticsearch: https://www.elastic.co/support/matrix#matrix_jvm
Designs
Attachments
Issue Links
- relates to
-
IBX-3103 Bump requirement for Solr
- Development