Hi, for Solr you can edit your solr.in.sh file to include: SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true" and should be enough to prevent this vulnerability. Ciao Il 13/12/21 23:43, Joseph Tam ha scritto:> > I'm surprised I haven't seen this mentioned yet. > > An internet red alert went out Friday on a new zero-day exploit. It is an > input validation problem where Java's Log4j module can be instructed via > a specially crafted string to fetch and execute code from a remote LDAP > server.? It has been designated the Log4shell exploit (CVE-2021-44228). > > Although I don't use it, I immediately thought of Solr, which provides > some dovecot installations with search indexing.? Can dovecot be made > to pass on arbitrary loggable strings to affected versions of Solr > (7.4.0-7.7.3, > 8.0.0-8.11.0)? > > Those running Solr to implement Dovecot FTS should look at > > ????https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 > > > Joseph Tam <jtam.home at gmail.com>-- Alessio Cecchi Postmaster @ http://www.qboxmail.it https://www.linkedin.com/in/alessice -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20211215/f70ca033/attachment.htm>
The suggested configuration is good, and although we did some checking to ensure that dovecot escapes the search queries and usernames sent to solr, so it is not trivial to send the JNDI expansion strings to be logged by solr, it is still good idea to set this. Aki> On 15/12/2021 09:45 Alessio Cecchi <alessio at skye.it> wrote: > > > Hi, > for Solr you can edit your solr.in.sh file to include: > > SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true" > and should be enough to prevent this vulnerability. > Ciao > > Il 13/12/21 23:43, Joseph Tam ha scritto: > > > > > I'm surprised I haven't seen this mentioned yet. > > > > An internet red alert went out Friday on a new zero-day exploit. It is an > > input validation problem where Java's Log4j module can be instructed via > > a specially crafted string to fetch and execute code from a remote LDAP > > server. It has been designated the Log4shell exploit (CVE-2021-44228). > > > > Although I don't use it, I immediately thought of Solr, which provides > > some dovecot installations with search indexing. Can dovecot be made > > to pass on arbitrary loggable strings to affected versions of Solr (7.4.0-7.7.3, > > 8.0.0-8.11.0)? > > > > Those running Solr to implement Dovecot FTS should look at > > > > https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 > > > > Joseph Tam <jtam.home at gmail.com> > > > -- > Alessio Cecchi > Postmaster @ http://www.qboxmail.it > https://www.linkedin.com/in/alessice
On 15.12.21 08:45, Alessio Cecchi wrote:> SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true" > and should be enough to prevent this vulnerability.Possibly not anymore, see CVE-2021-45046 ("re-opened" CVE-2021-44228 for v2 prior to 2.16.0) and CVE-2021-4104 (variant for v1, in the meantime - at least by Red Hat - downgraded to *not* be a *Remote* Code Execution (RCE) vuln) ... Regards, -- Jochen Bern Systemingenieur Binect GmbH -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3449 bytes Desc: S/MIME Cryptographic Signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20211215/702b79fb/attachment-0001.bin>