I've got a very old version of Solr and I've been trying to see if it is affected by the Log4Shell vulnerability that everybody is freaking out about (CVE-2021-44228).
The CVE only seems to apply to later versions, but a colleague doesn't buy it, so I'm trying to figure out the truth.
I'm about 95% sure this is fine for older versions of Log4j. Three reasons:
I'm on version 1.2. I found the Log4j JAR file on my system, unzipped it, and looked for anything mentioning JNDI:
That brought back nothing, so I feel pretty good there. The CVE says that you'd normally find something by looking in the JAR file. It suggests you do:
That wouldn't do anything for me.
I dug through the changelog for Log4j. It says for version 2.0-beta9:
So I think it's safe to say that JNDI didn't exist in Log4j before then. The Jira ticket that added it is here.
I checked the old manual for version 1.2 and compared it to the latest version. In the latest, there's a section for "Lookups" that explains how JNDI works. In version 1.2, that section just isn't there.
I think it's...fine?