This issue is related to remote code execution vulnerability via the Log4j library, which is used by Apache Solr, one of the search engines supported by Sitecore Experience Platform and Sitecore Managed Cloud.
We encourage Sitecore customers and partners who use Solr as a search provider to familiarize themselves with the information below and apply the Solution to all affected Sitecore systems. We also recommend that customers maintain their environments on security-supported versions and apply all available security fixes without delay.
The vulnerability impacts the following Sitecore products:
|Sitecore Experience Platform||+|
|Sitecore Managed Cloud||+|
|Sitecore Content Hub||-|
| Sitecore CDP and Sitecore Personalize
|Sitecore OrderCloud (formerly Four51 OrderCloud)||-|
|Sitecore Storefront (formerly Four51 Storefront)||-|
|Sitecore Discover (formerly Reflektion)||-|
|Sitecore Commerce Server||-|
"+" the vulnerability impacts the product;
"-" the vulnerability does not impact the product.
This Security Bulletin may receive additional updates as further details are discovered, and the History Of Updates section will provide a detailed list of all the changes.
If you would like to receive notifications about new Security Bulletins, please review KB1000489.
To help customers and partners understand the severity of the potential security vulnerabilities, Sitecore uses the following definitions to categorize security issues: KB0608800.
Sitecore Experience Platform versions affected
The vulnerability affects the following Solr versions:
Based on the affected Solr version and Solr compatibility table the vulnerability affects the following Sitecore Experience Platform versions:
Sitecore Managed Cloud Standard versions affected
Sitecore Managed Cloud Standard customers who run a containerized environment including LogStash are affected. Specific solutions are available here. Customers have been informed directly in this case.
Sitecore Managed Cloud Standard versions not affected
To mitigate the vulnerability, apply any of the approaches identified by the Solr community and listed in or referenced by article https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 except for upgrade of Solr version approach which is not available for compatibility reasons.
For containerized environments, all Solr images that have been released by Sitecore since December 20, 2021, include the necessary mitigation steps out of the box. To be more specific, Sitecore uses the "log4j2.formatMsgNoLookups=true" mitigation step recommended by Solr.
The list of particular tags and TargetOS can be found in the sitecore-tags.md file here:
If your solution uses the latest Solr images created by Sitecore, then no additional steps are required.