Hi all,
Please can you let me know whether Moodle is impacted by the Log4J Vulnerability?
Just to clarify Tim's point further, the core Moodle LMS is unaffected by log4shell, because it does not use log4j (or java). Of course any third party content (plugins, themes, search engines or other software etc set up on your infrastructure) would need to be verified by system administrators to confirm whether those may be affected in their instance.
In a separate discussion, Michael Taggart does appear to have confirmed that Tim's example of Solr search's backend is a valid risk, so that is one example where sites utilising it should investigate and patch as necessary.