You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@solr.apache.org by "clemensdev@mysign.ch" <cl...@mysign.ch> on 2021/12/14 13:47:25 UTC

Is the embedded Solr ( also affected by the log4j2 vulnerability?

Is the embedded Solr also affected by the log4j2 vulnerability? If yes: does starting the embedded Solr server ( in a tomcat ) with -Dlog4j2.formatMsgNoLookups=true mitigate the issue alike?

Our current Solr version is 8.8.2

Thx
Clemens

Re: Is the embedded Solr ( also affected by the log4j2 vulnerability?

Posted by Jan Høydahl <ja...@cominvent.com>.

Hi,

As long as you have configured your application having the embedded Solr, to use log4j for logging, and you pass user-entered queries to embedded Solr, then yes, you are vulnerable. And yes, setting that property in the JVM running (embedded) Solr should help. If your application uses another log framework, so that Solr logging is bridged through slf4j to e.g. Logback, then you may not be vulnerable. Look for log4j-core jar file. If you have a vulnerable log4j-core jar in your application, then upgrade log4j directly.

Jan

> 14. des. 2021 kl. 14:47 skrev clemensdev@mysign.ch:
> 
> Is the embedded Solr also affected by the log4j2 vulnerability? If yes: does starting the embedded Solr server ( in a tomcat ) with -Dlog4j2.formatMsgNoLookups=true mitigate the issue alike?
> 
> Our current Solr version is 8.8.2
> 
> Thx
> Clemens