On 12/29/2021 11:38 AM, Balabag, Jonathan wrote:
Currently our project is being scanned vulnerable because it is using Log4j 1.2
even we had already applied the mitigation by removing JMSAppender from the jar
file and not setting as default appender.
Can you confirm if the mitigation is enough to avoid such vulnerability?
If the log4j config that Solr is using has not been changed to use the
JMS Appender, then it is not affected by that vulnerability. Removing
the class entirely from the jar is additional assurance that you're OK.
Thanks,
Shawn
