On 4/14/22 03:47, Kunal Tidake wrote:
We have upgraded solr to v8.11.1 which includes log4j v2.16.0. We want to
upgrade log4j to v2.17.1. So is it possible to upgrade log4j from v2.16.0 to
v2.17.0 , Please let us know.
Yes. Just replace all the log4j jars with newer ones.
We are not releasing a new 8.11.x version with updated logj4. Due to
the way that the library is used, Solr is not vulnerable to the problems
fixed by log4j 2.17, at least not with the default logging configuration.
Likely you are using a security scanner that just blindly checks jar
versions, and has no way to know that in a certain context, there is no
vulnerability.
Thanks,
Shawn
