The past week has been a dramatic one with the publication of a series of very serious Log4J issues. The severity of these issues should not be downplayed. Unavoidably, how these issues affect different products and how they can be mitigated has become clouded and unclear.To examine the affect on Apache Solr, here are the key points from Apache Solr's security page regarding the Log4J issue:Only Solr 7.4 and greater is affected.Solr 7.3 and lower use a version of Log4J that is not vulnerable.Solr is not vulnerable to the followup Log4J issues: CVE-2021-45046 and CVE-2021-45105Passing system property log4j2.formatMsgNoLookups=true is suitable to mitigate (this is specific to Solr, and is not the case for other applications using Log4j)See: https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228The best course for mitigation still to upgrade either Solr or the affected Log4j JAR files to the latest version, however it is important to continually analyze how these issues affect your specific installation, as environmental factors are not created equally and it is possible to be more or less at risk depending on the surrounding situation.
