On 4/14/2022 11:59 AM, Tate, Justina (DTMB) wrote:
Can you please explain how we can go about upgrading Log4J to greater than
2.16.0.
Just replace the jars in the Solr install directory with newer versions
obtained directly from the log4j project.
But there's no need. Solr is not vulnerable to the problems fixed in
log4j 2.17.
https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228
If you need to check a compliance box saying you dealt with a
nonexistent vulnerability, just replace the jars as I already said.
Thanks,
Shawn
