Hi,

for Solr you can edit your solr.in.sh file to include:

SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"

and should be enough to prevent this vulnerability.

Ciao

Il 13/12/21 23:43, Joseph Tam ha scritto:

I'm surprised I haven't seen this mentioned yet.

An internet red alert went out Friday on a new zero-day exploit. It is an
input validation problem where Java's Log4j module can be instructed via
a specially crafted string to fetch and execute code from a remote LDAP
server. It has been designated the Log4shell exploit (CVE-2021-44228).

Although I don't use it, I immediately thought of Solr, which provides
some dovecot installations with search indexing. Can dovecot be made
to pass on arbitrary loggable strings to affected versions of Solr (7.4.0-7.7.3,
8.0.0-8.11.0)?

Those running Solr to implement Dovecot FTS should look at

https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228

Joseph Tam <jtam.home@gmail.com>

-- 
Alessio Cecchi
Postmaster @ http://www.qboxmail.it
https://www.linkedin.com/in/alessice