Potential threat of arbitrary code execution through Apache Solr

Update History

January 6, 2022 FileCloud Version 21.3.0.18447 has been released. This version updates FileCloud to Log4j 2.17.0 which eliminates the vulnerability.
December 21, 2021 FileCloud customers who have updated to Server Patch 21.2.4.17315, which upgraded Log4j to Version 2.16.0, are fully protected from Log4j vulnerabilities. Since then, an additional vulnerability was found in Log4j 2.16.0. Although the new vulnerability does not affect FileCloud users, as a proactive measure, Version 21.3 of FileCloud will upgrade FileCloud to Log4j 2.17.0, which eliminates this vulnerability.
December 17, 2021 We published FileCloud Version 21.2.4.17315 which resolved the Log4j issue.
The recommended fix is to install FileCloud Version 21.2.4.17315; however, if you do not install Version 21.2.4.17315, please make the changes outlined below.
December 15, 2021 After a newer vulnerability report (CVE 2021-45046) was published, we created an automated tool that completely updated and verified the Log4j library in your install to the latest secure 2.16 version. The steps for running this tool are given below.
December 13, 2021 We sent out an update on the Apache Log4j security vulnerability and gave instructions for applying a workaround to secure your FileCloud server. Even if you applied this workaround, please perform the fix described in the above bullet point dated December 17, 2021 or in the bullet point dated December 15, 2021.

Security Advisory Date	Updated January 6, 2022 (originally published December 13, 2021)
Vulnerability Type	Remote code execution
Severity factors	High. Although Apache Solr is not directly exposed through external access, FileCloud uses Apache Solr which in turn uses the log4j library.
Versions affected	All versions of FileCloud running Apache Solr 8.11.0 or below (all versions prior to FileCloud's 21.2.4 patch release)
Version fixed	21.2.4.17315

Description

A critical vulnerability discovered recently in Apache Log4j may allow attackers to execute arbitrary code by sending formatted messages to the logger library. For content search, FileCloud uses Apache Solr which in turn uses the log4j library.

Fix

If you are using FileCloud on-premises, it is recommended that you update to the latest version, which is 21.2.4.17315 or greater. This will resolve the issue.
If you are using FileCloud on-premises and do not upgrade to version 21.2.4.17315 or greater, perform the following steps to resolve the issue:
Please make these changes on FileCloud servers that Solr is running on:
In Windows:
1. Open PowerShell as Administrator:
  Search in the Start menu for PowerShell, then right-click and select Run as administrator.
2. In the PowerShell, go to the downloads directory
```
PS C:\WINDOWS\system32> cd "$HOME\Downloads" 
```
3. Setup execution permissions for the script
```
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
```
4. Download the Solr Log4j patch PowerShell script
```
Invoke-WebRequest -Uri https://patch.codelathe.com/tonidocloud/live/3rdparty/solr/solrpatch.ps1 -OutFile .\solrpatch.ps1
```
5. Execute the downloaded script
```
.\solrpatch.ps1
```

In Linux:

Download the Solr Log4j patch.

# wget https://patch.codelathe.com/tonidocloud/live/3rdparty/solr/solr_log4j_patch.sh

Execute the downloaded script.
```
# sudo bash ./solr_log4j_patch.sh
```

For Linux and Windows:

Once the above command completes, confirm that one of the following messages is displayed.

 Solr Log4j patches applied successfully for CVE-2021-44228 or CVE-2021-45046

or

supplied paths are not vulnerable to CVE-2021-44228 or CVE-2021-45046

If you are a FileCloud Online customer, the fix has already been applied to your sites to secure it.

If you have any questions about this advisory, please contact FileCloud support.