ppkarwasz opened a new pull request, #195: URL: https://github.com/apache/solr-site/pull/195
You broke it, you fix it. Since we (the Log4j team) decided to pollute the world with these CVEs, the least we can do is help evaluate their (negligible) impact on Apache Solr. This adds VEX statements for the five April 2026 Apache Log4j CVEs, assessed against the **Solr 9.10.1** binary distribution: | CVE | Component | Verdict | | --- | --- | --- | | CVE-2026-34477 | log4j-core | not_affected / requires_configuration | | CVE-2026-34478 | log4j-core | not_affected / requires_configuration | | CVE-2026-34479 | log4j-1.2-api | not_affected / requires_configuration | | CVE-2026-34480 | log4j-core | not_affected / requires_configuration | | CVE-2026-34481 | log4j-layout-template-json | not_affected / code_not_reachable | **TL;DR: none of these are reachable in a stock Solr install.** * 34477-34480 all require swapping Solr's default `PatternLayout` for some exotic layout or appender (`XmlLayout`, `Rfc5424Layout`, the Log4j 1 bridge, or a TLS network appender). If you didn't go out of your way to do that, you are fine. * 34481 needs someone to log a `MapMessage` with a `NaN`/`Infinity` float through `JsonTemplateLayout`. A scan of all 486 jars in the distribution shows nothing ever produces a `MapMessage`, so it is simply unreachable. Each statement spells out the exact configuration that would make you vulnerable, and which jar in `server/lib/ext/` to swap if you really did go off-piste. Solves SOLR-18288. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
