Lucene core is a no-dependencies library. Some of the other Lucene
modules, and the build and tests, have dependencies, but none of them
includes log4j. So sorry, but we won't be making Lucene use log4j
2.17.2; probably you should get your compliance standards changed to
include *forbidden* version
Categorization: Unclassified
Hi:
What version of log4j is included in Lucene version 8.11.2? The release notes
for Solr 8.11.2 explicitly states log4j version is upgraded to 2.17.2 to
address security vulnerabilities, but there is no such note for Lucene. I
assume the same is true for Lucene
