Can dovecot be leveraged to exploit Solr/Log4shell?

John Fawcett john at
Wed Dec 15 18:16:55 UTC 2021

On 15/12/2021 08:52, Aki Tuomi wrote:
> The suggested configuration is good, and although we did some checking to ensure that dovecot escapes the search queries and usernames sent to solr, so it is not trivial to send the JNDI expansion strings to be logged by solr, it is still good idea to set this.
> Aki
Agreed, it is worthwhile taking the advised mitigation steps regardless 
of the escaping done in Dovecot. Reasoning is

1) escaping may not be 100% foolproof - there are people out there 
working on bypassing such things

2) the search string method is not the only attack vector for SOLR. If 
people have SOLR exposed on an internet host, even if password 
protected, it doesn't mean to say that SOLR is not logging failed access 
attempts that can easily contain the attack string.


More information about the dovecot mailing list