Can dovecot be leveraged to exploit Solr/Log4shell?

Joseph Tam jtam.home at
Mon Dec 13 22:43:47 UTC 2021

I'm surprised I haven't seen this mentioned yet.

An internet red alert went out Friday on a new zero-day exploit.  It is an
input validation problem where Java's Log4j module can be instructed via
a specially crafted string to fetch and execute code from a remote LDAP
server.  It has been designated the Log4shell exploit (CVE-2021-44228).

Although I don't use it, I immediately thought of Solr, which provides
some dovecot installations with search indexing.  Can dovecot be made
to pass on arbitrary loggable strings to affected versions of Solr (7.4.0-7.7.3,

Those running Solr to implement Dovecot FTS should look at

Joseph Tam <jtam.home at>

More information about the dovecot mailing list