Only setting -Dlog4j2.formatMsgNoLookups=true might not be enough to mitigate the log4j vulnerability.
See https://github.com/kmindi/log4shell-vulnerable-app “So even with LOG4J_FORMAT_MSG_NO_LOOKUPS true version 2.14.1 of log4j is vulnerable when using ThreadContextMap in PatternLayout.” ThreadContext.put(key, value) is used under the hood by MDC. I’m not sure wether any user-input is actually stored in MDC in SOLR. Probably this should be updated: https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 And maybe consider releasing patch releases for other versions than 8.11 as well which includes log4j 2.16.0? Regards, Fredrik -- Fredrik Rødland Cell: +47 99 21 98 17 Maisen Pedersens vei 1 Twitter: @fredrikr NO-1363 Høvik, NORWAY flickr: http://www.flickr.com/fmmr/ http://rodland.no about.me http://about.me/fmr --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
