Can dovecot be leveraged to exploit Solr/Log4shell?

Joseph Tam jtam.home at gmail.com
Mon Dec 13 22:43:47 UTC 2021


I'm surprised I haven't seen this mentioned yet.

An internet red alert went out Friday on a new zero-day exploit.  It is an
input validation problem where Java's Log4j module can be instructed via
a specially crafted string to fetch and execute code from a remote LDAP
server.  It has been designated the Log4shell exploit (CVE-2021-44228).

Although I don't use it, I immediately thought of Solr, which provides
some dovecot installations with search indexing.  Can dovecot be made
to pass on arbitrary loggable strings to affected versions of Solr (7.4.0-7.7.3,
8.0.0-8.11.0)?

Those running Solr to implement Dovecot FTS should look at

 	https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228

Joseph Tam <jtam.home at gmail.com>


More information about the dovecot mailing list