Hi Rajatg, Log4j1.x is not affected, there is no need this will require many other work around to understand the configuration to understand the log4j2. Its better and safer with log4j1.x.
If you check still many patches coming with log4j2 which is now 2.17.1, in my spring boot application I already did upgrade 2 times still fixes are coming. So there should be any need to disturb the perfectly running solr instance and it will be waste of time and resources as per my perspective. If you still looking then I hope it will be due to various configuration properties and variables of log4j2 that need to be realigned. On Thu, 30 Dec 2021, 16:51 Rajath Banagi Ravindra, < [email protected]> wrote: > Hi Aman, > > > > While checking I came across the below. Looks like 1.2.X is also affected > so we upgraded the Log4J JAR file with V2.17.0, post upgrade solr is > loading up fine and search related features are working fine. > > But Logging is not working and even the logging page is not loading and > even admin portal is not loading. Can anyone help me here. > > CVE-2021-4104 > <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2021-4104&data=04%7C01%7CRajath.Ravindra2%40mindtree.com%7C517ee4cf9eff48c57d2308d9c476605a%7C85c997b9f49446b3a11d772983cf6f11%7C0%7C0%7C637756835006373319%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=4c4oid2oRtl0h6bFuHz4ZBt1D5uxB6U499maE3bXUps%3D&reserved=0> > (CVSS > score: 8.1) - An untrusted deserialization flaw affecting Log4j version 1.2 > (No fix available; Upgrade to version 2.17.0) > > Regards > > Rajath > > > > *From:* Aman Tandon <[email protected]> > *Sent:* Wednesday, December 29, 2021 7:36 PM > *To:* [email protected]; Rajath Banagi Ravindra < > [email protected]> > *Subject:* Re: Solr 6.6.1 Log4J fix > > > > * This e-mail originated outside of Mindtree. Exercise caution before > clicking links or opening attachments * > > You should be safe with log4j1.x version > > > > On Wed, 29 Dec 2021, 16:01 Rajath Banagi Ravindra, < > [email protected]> wrote: > > Hi, > > Currently our application uses Solr 6.6.1 version which uses Log4j version > 1.2.17 in it. Can we upgrade it to new version of Log4J. > > Can we just update Log4j JAR file(1.2.17 version) with a new version of > Log4J JAR file instead of updating Solr. Will this work? Kindly confirm. > > Regards-Rajath > > > ________________________________ > > http://www.mindtree.com/email/disclaimer.html > <https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.mindtree.com%2Femail%2Fdisclaimer.html&data=04%7C01%7Crajath.ravindra2%40mindtree.com%7C37a569f7782641e1a76708d9cad45a0f%7C85c997b9f49446b3a11d772983cf6f11%7C0%7C0%7C637763836508353983%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ZLNN3%2Fyaypzbp3d3CUjNw67dtPvlbkU73ASFsjNnMkg%3D&reserved=0> > >
