Closed alexskr closed 2 years ago
alexskr
commented
2 years ago patched version of annotatorplus.war is published and can be deployed on appliance v3.0.3+
sudo su – ontoportal
cd /srv/ontoportal/virtual_appliance/
git pull
cd /srv/ontoportal/virtual_appliance/deployment
./setup_deploy_env.sh
./deploy_annotatorproxy.shformatMsgNoLookups=true flag might not be sufficient to fully mitigate Log4J CVE-2021-44228 so solr needs to be upgrade to recently released v8.11.1.
sudo su -
systemctl stop solr
cd /opt
wget https://dlcdn.apache.org/lucene/solr/8.11.1/solr-8.11.1.tgz
tar -xvf solr-8.11.1.tgz
rm solr
ln -s solr-8.11.1 solr
systemctl start solrOntoPortal appliance v3.0.6 has been released which contains log4j patches.
OntoPortal has two components that have log4j libraries bundled in - solr and AnnotatorPlus
Appliance v3.0.4+: External connections to Solr is blocked by default and all solr requests are coming from the ontologies_api which doesn't pass things like user agent when it makes requests to solr.
AnnotatorPlus is run on a tomcat server and doesn't seem to use log4j logging capability as far as we can tell. On top of that Appliance runs java 11.0.1+ which is reported not to be vulnerable.
Nevertheless, the following steps can be taken to further mitigate log4shell: Solr: Modify solr config file /etc/sysconfig/solr and add the following:
SOLR_OPTS="${SOLR_OPTS} -Dlog4j2.formatMsgNoLookups=true”then restart solrsudo systemctl retart solrhttps://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228