Can dovecot be leveraged to exploit Solr/Log4shell?

Aki Tuomi aki.tuomi at open-xchange.com
Tue Dec 14 07:05:59 UTC 2021 

Dovecot itself has no log4j vulnerability as Dovecot does not use Java or Log4j directly. Solr, however, does use log4j. Please see https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 for further information on upgrading or mitigating the issue.

Aki

> On 14/12/2021 04:23 Scott <qmail at top-consulting.net> wrote:
> 
>  
> Is this assuming you log at some verbose level ? What if you log at WARN or higher ? 
> 
> For production it seems kind of silly to log search queries anyways.
> 
> Scott
> 
> -----Original Message-----
> From: dovecot <dovecot-bounces at dovecot.org> On Behalf Of John Fawcett
> Sent: Monday, December 13, 2021 8:52 PM
> To: dovecot at dovecot.org
> Subject: Re: Can dovecot be leveraged to exploit Solr/Log4shell?
> 
> On 13/12/2021 23:43, Joseph Tam wrote:
> >
> > I'm surprised I haven't seen this mentioned yet.
> >
> > An internet red alert went out Friday on a new zero-day exploit. It is 
> > an input validation problem where Java's Log4j module can be 
> > instructed via a specially crafted string to fetch and execute code 
> > from a remote LDAP server.  It has been designated the Log4shell exploit (CVE-2021-44228).
> >
> > Although I don't use it, I immediately thought of Solr, which provides 
> > some dovecot installations with search indexing.  Can dovecot be made 
> > to pass on arbitrary loggable strings to affected versions of Solr 
> > (7.4.0-7.7.3, 8.0.0-8.11.0)?
> >
> > Those running Solr to implement Dovecot FTS should look at
> >
> >     
> > https://solr.apache.org/security.html#apache-solr-affected-by-apache-l
> > og4j-cve-2021-44228
> >
> >
> > Joseph Tam <jtam.home at gmail.com>
> 
> Solr logs the search strings passed, so potentially authenticated users could log malicious strings by searching for them. I do see escaping of some special characters in the log, but not sure if that would be a sufficient mitigation. In my web server logs I see all kinds of patterns that are trying to circumvent WAF rules, so maybe someone will come up with a way of getting the malicious string into the solr log.
> 
> As Apache Solr is mentioned as one of the software that is impacted, the mitigations are to upgrade to a non vulnerable version asap and in the meantime turn off JNDI lookups.
> 
> John
> 
> 
> 
> 
> This is a private message

More information about the dovecot mailing list