Old Release

This documentation relates to an old version of VIVO, version 1.13.x.
Looking for another version? See all documentation.


On December 9th, 2021, a 0-day exploit in the popular Java logging library log4j was discovered that results in Remote Code Execution (RCE) by logging a certain string.

The impact of this vulnerability is quite severe. More about this issue impact (somewhere called Log4Shell) might be found at https://www.randori.com/blog/cve-2021-44228/

What is affected

The VIVO core source code is not impacted by this vulnerability, but the Solr platform used by VIVO might be. The following versions of Solr are affected: 7.4.0 to 7.7.3, 8.0.0 to 8.11.0 (source: https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228).


Any of the following are enough to prevent this vulnerability for Solr servers:

  • Upgrade to Solr 8.11.1 or greater (when available), which will include an updated version of the Log4J dependency.
  • If you are using Solr's official docker image, no matter the version, it has already been mitigated. You may need to re-pull the image.
  • Manually update the version of Log4J on your runtime classpath and restart your Solr application.
  • (Linux/MacOS) Edit your solr.in.sh file to include: SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"
  • (Windows) Edit your solr.in.cmd file to include: set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true
  • Follow any of the other mitgations listed at https://logging.apache.org/log4j/2.x/security.html

  • No labels