Hi, As long as you have configured your application having the embedded Solr, to use log4j for logging, and you pass user-entered queries to embedded Solr, then yes, you are vulnerable. And yes, setting that property in the JVM running (embedded) Solr should help. If your application uses another log framework, so that Solr logging is bridged through slf4j to e.g. Logback, then you may not be vulnerable. Look for log4j-core jar file. If you have a vulnerable log4j-core jar in your application, then upgrade log4j directly.
Jan > 14. des. 2021 kl. 14:47 skrev clemens...@mysign.ch: > > Is the embedded Solr also affected by the log4j2 vulnerability? If yes: does > starting the embedded Solr server ( in a tomcat ) with > -Dlog4j2.formatMsgNoLookups=true mitigate the issue alike? > > Our current Solr version is 8.8.2 > > Thx > Clemens
