<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-15">
</head>
<body>
<p>Hi,</p>
<p>for Solr you can edit your solr.in.sh file to include: <br>
</p>
<p>SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"</p>
<p>and should be enough to prevent this vulnerability.</p>
<p>Ciao<br>
</p>
<div class="moz-cite-prefix">Il 13/12/21 23:43, Joseph Tam ha
scritto:<br>
</div>
<blockquote type="cite"
cite="mid:mpine.2112131430330.13212@nodomain">
<br>
I'm surprised I haven't seen this mentioned yet.
<br>
<br>
An internet red alert went out Friday on a new zero-day exploit.
It is an
<br>
input validation problem where Java's Log4j module can be
instructed via
<br>
a specially crafted string to fetch and execute code from a remote
LDAP
<br>
server. It has been designated the Log4shell exploit
(CVE-2021-44228).
<br>
<br>
Although I don't use it, I immediately thought of Solr, which
provides
<br>
some dovecot installations with search indexing. Can dovecot be
made
<br>
to pass on arbitrary loggable strings to affected versions of Solr
(7.4.0-7.7.3,
<br>
8.0.0-8.11.0)?
<br>
<br>
Those running Solr to implement Dovecot FTS should look at
<br>
<br>
<a class="moz-txt-link-freetext" href="https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228">https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228</a>
<br>
<br>
Joseph Tam <a class="moz-txt-link-rfc2396E" href="mailto:jtam.home@gmail.com"><jtam.home@gmail.com></a>
<br>
</blockquote>
<pre class="moz-signature" cols="72">--
Alessio Cecchi
Postmaster @ <a class="moz-txt-link-freetext" href="http://www.qboxmail.it">http://www.qboxmail.it</a>
<a class="moz-txt-link-freetext" href="https://www.linkedin.com/in/alessice">https://www.linkedin.com/in/alessice</a></pre>
</body>
</html>