Without going into too much detail, to make a long story short:
The log4j vulnerability (CVE-2021-44228) is an exploit that can be used by attackers (or anybody else) to execute remote code, on a vulnerable system, because log4j will actually grab any line in the log file, that matches a certain format, and execute that line as if it was a native command / program.
Is the Opensolr service vulnerable to the lg4j exploit?
No. This vulnerability has been fully patched throughout the entire Opensolr ecosystem, on Dec. 11 2021.
Did this vulnerability affect aything on my servers?
No. However, you should probably do the due dilligence of patching any Java application you may be running on your end or in your organization, if they are using log4j (which they most probably do).
I am running Solr version 1 2 3 4 5 6 7 or 8. Am I safe?
Yes. This patch applies to all Solr versions. So you can keep running your Solr version that you are running now.
This is not a Solr vulnerability. It is a log4j vulnerability, which affects ANY Java applications that use the log4j library. So having log4j patched, will solve this issue for any Solr version.
However if you must use a different Solr version, you can go to your Opensolr Control Panel and add a new index, in a more recent Solr Version Container (server).
We can do that for you, but it's not going to be free.
I am running Solr, and/or other Java applications with log4j on my own. What do I have to do?
Google is your friend (as opposed to the popular belief).
The websites it finds while searching for this topic, will give you hints and ideas about how to mitigate this exploit.
