> Hi, We are User of Solr 6.6.3 along with Sitecore. Currently my team decided > to remove the log4j 1.2.17 in Solr 6.6.3 to mitigate the recent vulnerability > issues. I created a Jira ticket, but David Smiley told me to send an email > instead. > > We tried to remove the Log4j library and place a Slf4j-jdk library onto the > Solr Application. So far there has been no problems on Solr. To make sure > that there is no problem, we decided to send this mail for advice. There are > two questions we want to ask. > 1. Will changing the library has an impact to the overall Solr performance?
I don't think you'll see noticeable performance issues with any of the well known logging frameworks. > 2. Is there anything we can do to make sure the Solr is not vulnerable > anymore by changing this library? As long as you use a logging backend that is not vulnerable (either an updated log4j2 version or a different logging framework such as Logback), you should be safe. Consult the SLF4j project at https://www.slf4j.org/ for what JARs to use. This is all static, so if you decide to switch to e.g. logback, you'll select the corresponding binding, add a logback config file suitable for Solr, and perhaps also add the Log4j 2 to SLF4J Adapter jar so that things that log with log4j2 will be routed to the chosen backend. > 3. I was told by David in his comment that JUL isn’t working good. Is there > any other logging library we can use aside from JUL for Solr 6.6.3? If there > is, do you have any instructions on how to use the other library? I'd first try log4j2 2.217, and if that is too new for your version of Solr, then try a compatible version of Logback. Jan
