Hello, is it safe to simply replace the jars in the solr lib/ext folder with version 2.16 or are they hardcoded in scripts or meta-inf files ? Thanks — Ing. Andrea Vettori Responsabile Sistemi Informativi B2BIres s.r.l.
> On 15 Dec 2021, at 17:32, Shawn Heisey <[email protected]> wrote: > > On 12/14/21 10:55 PM, Soh Jia Yu, Eunice wrote: >> We've implemented this step "Otherwise, remove the JndiLookup class from the >> classpath: zip -q -d log4j-core-*.jar >> org/apache/logging/log4j/core/lookup/JndiLookup.class" from >> https://logging.apache.org/log4j/2.x/security.html for >> <solr_dir>/server/lib/ext. > > Interesting way to eliminate the problem. That would certainly work. > >> We would like to check if >> <solr_dir>/contrib/prometheus-exporter/lib/log4j-core-2.13.2.jar needs to be >> mitigated in this manner as well, assuming two different solutions: 1) we >> use Prometheus for solr, and 2) we do not use Prometheus for solr? > > Someone on our team looked into this. No user-provided strings are logged by > this module, so it should not be vulnerable. But if you want to be thorough > and absolutely sure, you can modify the log4j-core jar like you did for Solr. > > Thanks, > Shawn > >
