Thanks for the information Mike! I noticed that on https://solr.apache.org/security.html it lists the following statement for Solr releases prior to 7:
Apache Solr releases prior to 7.0 (i.e. all Solr 5 and Solr 6 releases) use log4j 1.2.17 which may be vulnerable for installations using non-default logging configurations. To determine if you are vulnerable please consult the Log4J security page. I am working with Solr 6.4.2. I referenced the Log4J security page ( https://logging.apache.org/log4j/2.x/security.html ) and did not see a means to verify whether our 1.2 log4j configuration is vulnerable. Any tips on doing this, or other helpful links? Thanks, Matt On Fri, Dec 10, 2021 at 1:22 PM Rahul Goswami <rahul196...@gmail.com> wrote: > In addition to the mitigation strategies mentioned on the Solr page, the > below blog post indicates that you should be protected if you are using > Java 11.0.1 and up > > https://www.lunasec.io/docs/blog/log4j-zero-day/ > > On Fri, Dec 10, 2021 at 3:07 PM Mike Drob <md...@mdrob.com> wrote: > > > Solr is affected. Please see the statement at the > > https://solr.apache.org/security.html page > > > > On Fri, Dec 10, 2021 at 12:44 PM Walter Underwood <wun...@wunderwood.org > > > > wrote: > > > > > Does all Solr logging go through slf4j? If so, that should protect > > against > > > this vulnerability. > > > > > > If not, who has tested Solr with log4j 2.15.1? > > > > > > We are running 8.8.2. > > > > > > wunder > > > Walter Underwood > > > wun...@wunderwood.org > > > http://observer.wunderwood.org/ (my blog) > > > > > > > > >
