Apologies for the typo, Rajath On Fri, 31 Dec 2021, 18:38 Aman Tandon, <amantandon...@gmail.com> wrote:
> Hi Rajatg, > > Log4j1.x is not affected, there is no need this will require many other > work around to understand the configuration to understand the log4j2. Its > better and safer with log4j1.x. > > If you check still many patches coming with log4j2 which is now 2.17.1, in > my spring boot application I already did upgrade 2 times still fixes are > coming. > > So there should be any need to disturb the perfectly running solr instance > and it will be waste of time and resources as per my perspective. If you > still looking then I hope it will be due to various configuration > properties and variables of log4j2 that need to be realigned. > > On Thu, 30 Dec 2021, 16:51 Rajath Banagi Ravindra, < > rajath.ravind...@mindtree.com> wrote: > >> Hi Aman, >> >> >> >> While checking I came across the below. Looks like 1.2.X is also affected >> so we upgraded the Log4J JAR file with V2.17.0, post upgrade solr is >> loading up fine and search related features are working fine. >> >> But Logging is not working and even the logging page is not loading and >> even admin portal is not loading. Can anyone help me here. >> >> CVE-2021-4104 >> <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2021-4104&data=04%7C01%7CRajath.Ravindra2%40mindtree.com%7C517ee4cf9eff48c57d2308d9c476605a%7C85c997b9f49446b3a11d772983cf6f11%7C0%7C0%7C637756835006373319%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=4c4oid2oRtl0h6bFuHz4ZBt1D5uxB6U499maE3bXUps%3D&reserved=0> >> (CVSS >> score: 8.1) - An untrusted deserialization flaw affecting Log4j version 1.2 >> (No fix available; Upgrade to version 2.17.0) >> >> Regards >> >> Rajath >> >> >> >> *From:* Aman Tandon <amantandon...@gmail.com> >> *Sent:* Wednesday, December 29, 2021 7:36 PM >> *To:* users@solr.apache.org; Rajath Banagi Ravindra < >> rajath.ravind...@mindtree.com> >> *Subject:* Re: Solr 6.6.1 Log4J fix >> >> >> >> * This e-mail originated outside of Mindtree. Exercise caution before >> clicking links or opening attachments * >> >> You should be safe with log4j1.x version >> >> >> >> On Wed, 29 Dec 2021, 16:01 Rajath Banagi Ravindra, < >> rajath.ravind...@mindtree.com.invalid> wrote: >> >> Hi, >> >> Currently our application uses Solr 6.6.1 version which uses Log4j >> version 1.2.17 in it. Can we upgrade it to new version of Log4J. >> >> Can we just update Log4j JAR file(1.2.17 version) with a new version of >> Log4J JAR file instead of updating Solr. Will this work? Kindly confirm. >> >> Regards-Rajath >> >> >> ________________________________ >> >> http://www.mindtree.com/email/disclaimer.html >> <https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.mindtree.com%2Femail%2Fdisclaimer.html&data=04%7C01%7Crajath.ravindra2%40mindtree.com%7C37a569f7782641e1a76708d9cad45a0f%7C85c997b9f49446b3a11d772983cf6f11%7C0%7C0%7C637763836508353983%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ZLNN3%2Fyaypzbp3d3CUjNw67dtPvlbkU73ASFsjNnMkg%3D&reserved=0> >> >>
