You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@solr.apache.org by GitBox <gi...@apache.org> on 2021/12/14 20:57:56 UTC

[GitHub] [solr] mario-canva commented on pull request #454: SOLR-15843 Update Log4J to 2.15

mario-canva commented on pull request #454:
URL: https://github.com/apache/solr/pull/454#issuecomment-993998543


   The [Apache log4j security advisory](https://logging.apache.org/log4j/2.x/security.html) was updated recently stating the flag `-Dlog4j2.formatMsgNoLookups=true` is not a sufficient mitigation for log4j versions below 2.15.0. Which is the case for Solr 7.7.3 and below, so the [Solr advisory](https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228) also needs to be updated.
   
   What other possible mitigations we can use for Solr 7.7.3? Any chances to get a patch for this version as well? I know it is stated [out of maintenance](https://github.com/apache/solr/pull/454#issuecomment-990987372) but a patch it would really go a long way in helping people to mitigate this vulnerability. Let me know if create a PR helps in getting a patch moving and I will raise one.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org