Hi All, We are internally using Solr 7.5. As part of the zero day log4j vulnerability we already moved the log4j to 2.17.0 version in the solr component.
Now the tools that we run internally flags CVE-2021-44832 <https://nvd.nist.gov/vuln/detail/CVE-2021-44832>. But the Solr security page https://solr.apache.org/security.html Clearly says this vulnerability is not affected in 7.4 to 8.11.1 but the affected components are 'log4j-core-2.14.1.jar, log4j-core-2.16.0.jar'. So does that mean that if we are with log4j-core-2.17.0.jar then this vulnerability needs to be fixed? Or the same argument that '*Solr's default log configuration doesn't use JDBCAppender and we don't imagine a user would want to use it or other obscure appenders*.' is it valid for 2.17.0 version also? Any info on this would be appreciated. Thanks in advance. PS : Sorry for emailing to dev@ and user@ since I wanted to see if other users also faced similar issues. Regards Ram
