...
Description: Locator releases prior to 3.3.1 were using a bundled Solr that were bundled using a version of the Apache Log4J library vulnerable to RCE. For full impact and additional detail consult the Solr security page https://solr.apache.org/security.html .
Locator releases prior to 3.3.1 were using a bundled ZooKeeper that were bundled using log4j 1.2.17 which may be vulnerable. See https://issues.apache.org/jira/browse/ZOOKEEPER-4423
Locator releases prior to 2.11.903 were using a bundled Solr that were bundled with Solr using log4j 1.2.17 which may be vulnerable for installations using non-default logging configurations that include the JMS Appender, see https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 for discussion.
Locator releases prior to 2.11.903 were using a bundled ZooKeeper that were bundled using log4j 1.2.17 which may be vulnerable. See https://issues.apache.org/jira/browse/ZOOKEEPER-4423.
...