Legacy Product

Fusion 5.4

Fusion 5.4.5Release Notes

Release date: December 17, 2021

Component versions:

Component Version

Solr

8.8.2

ZooKeeper

3.6.2

Spark

2.4.5

Kubernetes

GKE, AKS, EKS 1.21

Rancher (RKE) and OpenShift 4 compatible with Kubernetes 1.21

OpenStack and customized Kubernetes installs not supported.

Ingress Controllers

Nginx, Ambassador (Envoy), GKE Ingress Controller

Istio not supported.

Upgrade immediately!

Check out the Fusion 5 Upgrades topic for details.

Fusion 5.4.5 addresses CVE-2021-44228, a critical, zero-day exploit discovered in Apache Log4j, a logging tool used in many Java-based applications.

This widespread exploit affects all versions of Fusion and Solr. If Fusion and Solr are correctly secured behind a firewall and queries are sanitized by middle-ware, the risk of this vulnerability being exploited is low. However, as with all vulnerabilities, if an attacker gains access to the server, this vulnerability can be exploited.

The Fusion 5.4.5 release upgrades Log4j to 2.16.0 throughout Fusion. The only exception is for Apache Pulsar, a third-party multi-tenant messaging system, which is awaiting an official update. Although Pulsar in Fusion 5.4.5 uses Log4j 2.15.0, Pulsar is not susceptible to CVE-2021-44228 or the related CVE-2021-45046, due to how the service is configured in Fusion.

Security bulletin

For detailed information on CVE-2021-44228 and its impact on Lucidworks products, see our security bulletin.