Are the current Debian/Ubuntu packages vulnerable?
XWiki uses Logback as logger implementation and not Log4j (even if some parts go through the log4j API it still ends up in Logback), so it’s not affected.
1 Like
Hi Thomas. Thanks for the quick response. I’ll put it here just in case: 
Yes, XWiki never used Log4j 2 implementation and moved from commons-logging to slf4j/logback in 3.1 (2011).
Yes, users of Solr standalone instance should indeed probably think about upgrading it (but I’m not sure if it’s so easy to exploit if the Solr instance is not publicly accessible).
The embedded Solr instance (like any other library embedded in XWiki which use the log4j API) will end up being logged by Logback in practice, which means it’s not vulnerable.
Currently working on an official statement regarding this issue, with information about the various tools and distributions in the XWiki ecosystem.
edit: done on Log4J CVE-2021-44228 "Log4Shell" Zero-Day Vulnerability