Can dovecot be leveraged to exploit Solr/Log4shell?
Joseph Tam
jtam.home at gmail.com
Mon Dec 13 22:43:47 UTC 2021
I'm surprised I haven't seen this mentioned yet.
An internet red alert went out Friday on a new zero-day exploit. It is an
input validation problem where Java's Log4j module can be instructed via
a specially crafted string to fetch and execute code from a remote LDAP
server. It has been designated the Log4shell exploit (CVE-2021-44228).
Although I don't use it, I immediately thought of Solr, which provides
some dovecot installations with search indexing. Can dovecot be made
to pass on arbitrary loggable strings to affected versions of Solr (7.4.0-7.7.3,
8.0.0-8.11.0)?
Those running Solr to implement Dovecot FTS should look at
https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228
Joseph Tam <jtam.home at gmail.com>
More information about the dovecot
mailing list