If you are opting in to using a lookup capable appender then you are vulnerable. I don’t have a POC for testing it, but generally you’d only be affected if you’re using this functionality explicitly
On Fri, Dec 10, 2021 at 3:21 PM mtn search <search...@gmail.com> wrote: > Thanks for the information Mike! > > I noticed that on https://solr.apache.org/security.html it lists the > following statement for Solr releases prior to 7: > > Apache Solr releases prior to 7.0 (i.e. all Solr 5 and Solr 6 releases) use > log4j 1.2.17 which may be vulnerable for installations using non-default > logging configurations. To determine if you are vulnerable please consult > the Log4J security page. > > I am working with Solr 6.4.2. I referenced the Log4J security page ( > https://logging.apache.org/log4j/2.x/security.html ) and did not see a > means to verify whether our 1.2 log4j configuration is vulnerable. Any > tips on doing this, or other helpful links? > > Thanks, > Matt > > > On Fri, Dec 10, 2021 at 1:22 PM Rahul Goswami <rahul196...@gmail.com> > wrote: > > > In addition to the mitigation strategies mentioned on the Solr page, the > > below blog post indicates that you should be protected if you are using > > Java 11.0.1 and up > > > > https://www.lunasec.io/docs/blog/log4j-zero-day/ > > > > On Fri, Dec 10, 2021 at 3:07 PM Mike Drob <md...@mdrob.com> wrote: > > > > > Solr is affected. Please see the statement at the > > > https://solr.apache.org/security.html page > > > > > > On Fri, Dec 10, 2021 at 12:44 PM Walter Underwood < > wun...@wunderwood.org > > > > > > wrote: > > > > > > > Does all Solr logging go through slf4j? If so, that should protect > > > against > > > > this vulnerability. > > > > > > > > If not, who has tested Solr with log4j 2.15.1? > > > > > > > > We are running 8.8.2. > > > > > > > > wunder > > > > Walter Underwood > > > > wun...@wunderwood.org > > > > http://observer.wunderwood.org/ (my blog) > > > > > > > > > > > > > >
