In the wake of the log4j vulnerability, though we are not affected, we should look in to upgraded requirements for these Java-related requirements. We have an inconsistency between code and docs, and allow some old versions.

• v1.13 goes EOL in a couple weeks, not much point in spending time on it.
• v2.5
  • The doc says we require "Solr 7.7LTS or Solr 8" and "Elasticsearch 7.7" and "Oracle Java/Open JDK 8 or higher"
  • While the code installs Solr 6.6.5 by default, this is inconsistent.
• v3.3
  • The doc says we require "Solr 7.7LTS or Solr 8" and "Elasticsearch 7.7, using Oracle Java/Open JDK 8 or higher"
  • And the code installs Solr 7.7.2 by default, or Elasticsearch 7.7.
• v4
  • The master doc says the same as for v3.3.
  • We install Solr 7.7 or Elasticsearch 7.7 by default.

Recommendations from vendors

• Log4j: Upgrade to v2.16.0 or later (the earlier v2.15.0 was found to be not enough)
• Solr: 8.11.1 https://solr.apache.org/news.html#apache-solr-affected-by-apache-log4j-cve-2021-44228
• Elasticsearch: Not affected with Java 9+, but anyway: 7.16.1 and 6.8.21 https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
• Java JDK: 9 or newer.
• Platform.sh: https://platform.sh/blog/2021/platformsh-protects-from-apache-log4j/

Recommentation for Ibexa

• We must fix the v2.5 inconsistency, by bumping the installed version.
• We should bump the Java requirement from 8 to 11 LTS. This is fine for our relevant versions of Solr and Elastisearch.
• Can we bump Solr requirements to 8.11.1 which has the updated log4j requirement? (The Elasticsearch info leak issue is solved in Java newer than 8.)
• Where the docs recommend Solr 8.6, we should upgrade this too.

Dependencies requirements

Solr: https://solr.apache.org/guide/8_11/solr-system-requirements.html
Elasticsearch: https://www.elastic.co/support/matrix#matrix_jvm