On 9/5/23 23:10, ramkrishna vasudevan wrote:
Clearly says this vulnerability is not affected in 7.4 to 8.11.1 but the
affected components are 'log4j-core-2.14.1.jar, log4j-core-2.16.0.jar'.
So does that mean that if we are with log4j-core-2.17.0.jar then this
vulnerability needs to be fixed? Or the same argument that '*Solr's default
log configuration doesn't use JDBCAppender and we don't imagine a user
would want to use it or other obscure appenders*.' is it valid for 2.17.0
version also?
You can only be affected if you have changed the logging config in your
Solr install to use JDBCAppender. Solr's default logging config does
NOT use that appender.
You could upgrade all the log4j jars in Solr to 2.17.2 and then your
vulnerability scanner should not find that vulnerability.
It MIGHT be safe to update the log4j jars to 2.20.0, the latest release,
but I can't guarantee that. Updating to 2.17.2 would be safe. I have
done that without problems.
Thanks,
Shawn
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org
For additional commands, e-mail: dev-h...@solr.apache.org
