On 2/23/2022 9:25 PM, Ramila Herath wrote:
Can this vulnerability to exploited in Solr 8.11.1? solr 8.11.1 has log4j 2.16 but I couldn’t find a log4j.properties files in the distribution setting a non-default layout pattern (with or without context lookup). Any idea when Solr would do a release with log4j 2.17.1?
As noted in another reply, Solr is not vulnerable to the problems fixed after log4j 2.16, as long as you do not change the logging configuration. Because of that, it is likely that the first version of Solr with log4j 2.17.1 or later will be Solr 9.0.0. The release process for 9.0.0 is underway now. I do not have an ETA.
The log4j2 library does not use log4j.properties for configuration - that's used by log4j 1.x. You'll find the logging config for Solr in a file named log4j2.xml.
Thanks, Shawn
