You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@solr.apache.org by Woei Jong Yoon <wo...@xtremax.com> on 2021/12/11 11:34:15 UTC

Update Log4J library version for Solr 6.6.3

Hi All,

Currently Solr version 6.6.3 are using log4j library with version 1.2.17.

If we plan to update the log4j library version to 2.15 due the log4j library is end of support.

May we check that Solr 6.6.3 able to support it?

Additional advice will be appreciated.

Thank you.

Regards,
Yoon Woei Jong


www.xtremax.com<http://www.xtremax.com/>    l   114 Lavender Street #08-93 CT Hub 2 Singapore 338729


CONFIDENTIALITY NOTICE:

The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.

Re: Update Log4J library version for Solr 6.6.3

Posted by Yuval Paz <yu...@mail.huji.ac.il>.

Log4j2 is not a simple upgrade of log4j(1), in fact, it is a completely new
library.

Although I'm not 100% sure about how Solr uses log4j, in most cases it is
not a simple plug and play.

If you are concerned about the 0-day vulnerability, see the link below.

From my understanding, the vulnerability only affected log4j2

https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126

On Sat, Dec 11, 2021, 1:49 PM Woei Jong Yoon <wo...@xtremax.com> wrote:

> Hi All,
>
> Currently Solr version 6.6.3 are using log4j library with version 1.2.17.
>
> If we plan to update the log4j library version to 2.15 due the log4j
> library is end of support.
>
> May we check that Solr 6.6.3 able to support it?
>
> Additional advice will be appreciated.
>
> Thank you.
>
> Regards,
> Yoon Woei Jong
>
>
> www.xtremax.com<http://www.xtremax.com/>    l   114 Lavender Street
> #08-93 CT Hub 2 Singapore 338729
>
>
> CONFIDENTIALITY NOTICE:
>
> The contents of this email message and any attachments are intended solely
> for the addressee(s) and may contain confidential and/or privileged
> information and may be legally protected from disclosure. If you are not
> the intended recipient of this message or their agent, or if this message
> has been addressed to you in error, please immediately alert the sender by
> reply e-mail and then delete this message and any attachments. If you are
> not the intended recipient, you are hereby notified that any use,
> dissemination, copying, or storage of this message or its attachments is
> strictly prohibited.
>

Re: Update Log4J library version for Solr 6.6.3

Posted by Walter Underwood <wu...@wunderwood.org>.

log4j 1.x does not have the vulnerability, so you do not need to patch 6.6.3.

If you want a current, non-vulnerable log4j library, you will need to upgrade to Solr 8.11.1.

wunder
Walter Underwood
wunder@wunderwood.org
http://observer.wunderwood.org/  (my blog)

> On Dec 11, 2021, at 3:34 AM, Woei Jong Yoon <wo...@xtremax.com> wrote:
> 
> Hi All,
> 
> Currently Solr version 6.6.3 are using log4j library with version 1.2.17.
> 
> If we plan to update the log4j library version to 2.15 due the log4j library is end of support.
> 
> May we check that Solr 6.6.3 able to support it?
> 
> Additional advice will be appreciated.
> 
> Thank you.
> 
> Regards,
> Yoon Woei Jong
> 
> 
> www.xtremax.com<http://www.xtremax.com/>    l   114 Lavender Street #08-93 CT Hub 2 Singapore 338729
> 
> 
> CONFIDENTIALITY NOTICE:
> 
> The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.