The Log4j vulnerability has been classified as a grade 10 vulnerability (the most severe rating) by the
National Cyber Security Centre and JISC due to the relative ease in exploiting and significant impact. So,
when we first heard the announcement, it was a mad scramble to workout how to patch our SOLR servers.

Apache SOLR security suggested several mitigations on their site .
Upgrading SOLR to the latest version would have been a no-brainer for most organisations, but not so much
for teams working on Sitecore.

Sitecore 9.3 is compatible only with SOLR 8.1.1, which is affected by the vulnerability. Therefore, the
only options we had were to patch the existing version.

Being the ever optimists, we went for the simplest of the available solutions. Update the SOLR_OPTS to set
formatMsgNoLookups = true using the following steps

• Navigate to solr-8.1.1\bin folder
• Open solr.in.cmd file and add the following line

set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true

• Save the file
• Restart SOLR with the following command

.\bin\solr stop -all
.\bin\solr start -f -p 8983

All was well until it was announced that the -D flag patch was not sufficient to fix the vulnerability.
This left us with the only option of upgrading Log4j to version 2.16. The biggest challenge as .NET
developers was to workout which files to update and how to get the latest versions of those files. After
much research and investigation, this is what worked for us.

• Download log4j version 2.16 from https://www.apache.org/dyn/closer.lua/logging/log4j/2.16.0/apache-log4j-2.16.0-bin.zip
  • The following JAR files are used from the downloaded ZIP (log4j-1.2-api-2.16.0, log4j-api-2.16.0,
    log4j-core-2.16.0, log4j-slf4j18-impl-2.16.0, log4j-web-2.16.0)
• Download slf4j-api version 1.7.32 from https://repo1.maven.org/maven2/org/slf4j/slf4j-api/1.7.32/slf4j-api-1.7.32.jar
• Download slf4j-simple version 1.7.32 from https://repo1.maven.org/maven2/org/slf4j/slf4j-simple/1.7.32/slf4j-simple-1.7.32.jar
  • This JAR is not in the folder. We had to add this JAR to get rid of the error below

SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.

• Stop SOLR service
• Replace the JAR Files in solr-8.1.1\server\lib\ext directory
• Start SOLR service

Log4j is also used by prometheus-explorer, which is in /solr/contrib directory. The
following JAR files were copied into /solr/contrib/prometheus-explorer/lib directory

• log4j-api-2.16.0
• log4j-core-2.16.0
• log4j-slf4j18-impl-2.16.0
• log4j-web-2.16.0
• slf4j-simple-1.7.32
• slf4j-api-1.7.32