On 12/14/21 10:55 PM, Soh Jia Yu, Eunice wrote:
We've implemented this step "Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class" from https://logging.apache.org/log4j/2.x/security.html for <solr_dir>/server/lib/ext.
Interesting way to eliminate the problem. That would certainly work.
We would like to check if <solr_dir>/contrib/prometheus-exporter/lib/log4j-core-2.13.2.jar needs to be mitigated in this manner as well, assuming two different solutions: 1) we use Prometheus for solr, and 2) we do not use Prometheus for solr?
Someone on our team looked into this. No user-provided strings are logged by this module, so it should not be vulnerable. But if you want to be thorough and absolutely sure, you can modify the log4j-core jar like you did for Solr.
Thanks, Shawn
