Is this assuming you log at some verbose level ? What if you log at WARN or higher ?
For production it seems kind of silly to log search queries anyways.
Scott
-----Original Message----- From: dovecot dovecot-bounces@dovecot.org On Behalf Of John Fawcett Sent: Monday, December 13, 2021 8:52 PM To: dovecot@dovecot.org Subject: Re: Can dovecot be leveraged to exploit Solr/Log4shell?
On 13/12/2021 23:43, Joseph Tam wrote:
I'm surprised I haven't seen this mentioned yet.
An internet red alert went out Friday on a new zero-day exploit. It is an input validation problem where Java's Log4j module can be instructed via a specially crafted string to fetch and execute code from a remote LDAP server. It has been designated the Log4shell exploit (CVE-2021-44228).
Although I don't use it, I immediately thought of Solr, which provides some dovecot installations with search indexing. Can dovecot be made to pass on arbitrary loggable strings to affected versions of Solr (7.4.0-7.7.3, 8.0.0-8.11.0)?
Those running Solr to implement Dovecot FTS should look at
https://solr.apache.org/security.html#apache-solr-affected-by-apache-l og4j-cve-2021-44228
Joseph Tam jtam.home@gmail.com
Solr logs the search strings passed, so potentially authenticated users could log malicious strings by searching for them. I do see escaping of some special characters in the log, but not sure if that would be a sufficient mitigation. In my web server logs I see all kinds of patterns that are trying to circumvent WAF rules, so maybe someone will come up with a way of getting the malicious string into the solr log.
As Apache Solr is mentioned as one of the software that is impacted, the mitigations are to upgrade to a non vulnerable version asap and in the meantime turn off JNDI lookups.
John
This is a private message