Lucene Search Engine Contains Old Log4j and POI 2.4.2.4

Please upgrade Lucene Search Engine application with updated log4j and poi jar files.

The below was found during a network scan. Upon removing this application, these jar files were removed.

Path : C:\sqbox\lucee\tomcat\lucee-server\bundles\log4j-1.2.17.jar
Installed version : 1.2.17

Path : C:\sqbox\lucee\tomcat\lucee-server\felix-cache\bundle102\version0.0\bundle.jar
Installed version : 1.2.17

Path : C:\sqbox\lucee\tomcat\lucee-server\bundles\org.apache.poi-2.5.1.jar
Installed version : 2.5.1
Fixed version : 3.17

So it appears the POI is bundled in the latest version of Lucene Search Engine application. That application needs updated with it’s bundled jar files. Still not sure about the log4j version that keeps appearing in this location.

the Lucene extension is deprecated and will no longer be bundled by default with the 5.4 or 6.0 releases

2 Likes