Can dovecot be leveraged to exploit Solr/Log4shell?

Alessio Cecchi alessio at
Wed Dec 15 07:45:11 UTC 2021


for Solr you can edit your file to include:

SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"

and should be enough to prevent this vulnerability.


Il 13/12/21 23:43, Joseph Tam ha scritto:
> I'm surprised I haven't seen this mentioned yet.
> An internet red alert went out Friday on a new zero-day exploit. It is an
> input validation problem where Java's Log4j module can be instructed via
> a specially crafted string to fetch and execute code from a remote LDAP
> server.  It has been designated the Log4shell exploit (CVE-2021-44228).
> Although I don't use it, I immediately thought of Solr, which provides
> some dovecot installations with search indexing.  Can dovecot be made
> to pass on arbitrary loggable strings to affected versions of Solr 
> (7.4.0-7.7.3,
> 8.0.0-8.11.0)?
> Those running Solr to implement Dovecot FTS should look at
> Joseph Tam <jtam.home at>

Alessio Cecchi
Postmaster @

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the dovecot mailing list