Thanks, even though log4j in solr is not affected by log4shell issue, I wanted to check if its possible to upgrade log4j with out upgrading solr As log4j version is end of life and apache recommends to upgrade to log4j version 2
https://news.apache.org/foundation/entry/apache_logging_services_project_announces Thanks From: Jan Høydahl <[email protected]> Sent: Friday, March 31, 2023 11:56 AM To: [email protected] Subject: Re: Upgrading log4j Hi, Why do you believe you need to upgrade log4j in solr 6? It was not affected by the log4shell issue. See our article at https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228<https://urldefense.com/v3/__https:/solr.apache.org/security.html*apache-solr-affected-by-apache-log4j-cve-2021-44228__;Iw!!NknhfzgzgQ!2KWSIHcbebOq1B16_TJmVISjx9IB9d9hAMe2Xa1M2vA4dSGDwuSJMyxiGHzxWSBsChsqhRlO19OqFkn5ywtHmbmvGtFWQu4$> where we state that Solr 7.4.0 is the earliest Solr version vulnerable to log4shell. But of course, running such an old version of Solr makes you vulnerable to other risks: NVD - Results<https://urldefense.com/v3/__https:/nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&isCpeNameSearch=false&cpe_vendor=cpe*3A*2F*3Aapache&cpe_product=cpe*3A*2F*3Aapache*3Asolr&cpe_version=cpe*3A*2F*3Aapache*3Asolr*3A6.6.6__;JSUlJSUlJSUlJSUl!!NknhfzgzgQ!2KWSIHcbebOq1B16_TJmVISjx9IB9d9hAMe2Xa1M2vA4dSGDwuSJMyxiGHzxWSBsChsqhRlO19OqFkn5ywtHmbmv2MA-phI$> nvd.nist.gov<https://urldefense.com/v3/__https:/nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&isCpeNameSearch=false&cpe_vendor=cpe*3A*2F*3Aapache&cpe_product=cpe*3A*2F*3Aapache*3Asolr&cpe_version=cpe*3A*2F*3Aapache*3Asolr*3A6.6.6__;JSUlJSUlJSUlJSUl!!NknhfzgzgQ!2KWSIHcbebOq1B16_TJmVISjx9IB9d9hAMe2Xa1M2vA4dSGDwuSJMyxiGHzxWSBsChsqhRlO19OqFkn5ywtHmbmv2MA-phI$> [cid:[email protected]]<https://urldefense.com/v3/__https:/nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&isCpeNameSearch=false&cpe_vendor=cpe*3A*2F*3Aapache&cpe_product=cpe*3A*2F*3Aapache*3Asolr&cpe_version=cpe*3A*2F*3Aapache*3Asolr*3A6.6.6__;JSUlJSUlJSUlJSUl!!NknhfzgzgQ!2KWSIHcbebOq1B16_TJmVISjx9IB9d9hAMe2Xa1M2vA4dSGDwuSJMyxiGHzxWSBsChsqhRlO19OqFkn5ywtHmbmv2MA-phI$> Jan 31. mar. 2023 kl. 16:37 skrev Aravind Reddy Jangam <[email protected]<mailto:[email protected]>>: Hi We are running solr verions 6 & log4j version 1.x Is it possible to upgrade log4j to version 2.x with out upgrading solr 6 Thanks Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately. Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.
