[prev in list] [next in list] [prev in thread] [next in thread]
List: lucene-dev
Subject: Re: Log4j < 2.15.0 may still be vulnerable even if -Dlog4j2.formatMsgNoLookups=true is set
From: David Smiley <dsmiley () apache ! org>
Date: 2021-12-19 21:26:48
Message-ID: CABEwPvHe+bgg_PUXpH0KZ5nDR2TSJRY20kgsrwDTYVLk9k9QnQ () mail ! gmail ! com
[Download RAW message or body]
I like the idea of using our Wiki more as you describe. Not so much
*new* news entries because I think search-ability of these CVEs is fine to
an existing entry.
~ David Smiley
Apache Lucene/Solr Search Developer
http://www.linkedin.com/in/davidwsmiley
On Sat, Dec 18, 2021 at 4:39 PM Gus Heck <gus.heck@gmail.com> wrote:
> Thinking about it some more, maybe the problem with my suggestion is
> the table on that page is organized by the library version and, if
> unmitigated, the version of the library is still a problem. Maybe another
> way to be clearer about it and avoid rewriting things that people have
> already read would be to add independent entries to the security news page
> for the newer CVE's
>
> On Sat, Dec 18, 2021 at 12:20 PM Gus Heck <gus.heck@gmail.com> wrote:
>
> > I think perhaps in the shock of such a deep and surprising vulnerability
> > with such high visibility, we've begun to break with how we normally handle
> > CVE's that don't apply to our usage of the library. Previously, they just
> > got added to the list of known false positives
> > <https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools>.
> > Normally we wouldn't even mention them on the security news page, but
> > because of the high visibility we should simply have a line mentioning that
> > these two CVE's are on our false positives page and explain details there.
> > The wiki would provide revision history automatically.
> >
> > On Sat, Dec 18, 2021 at 11:25 AM Jan Høydahl <jan.asf@cominvent.com>
> > wrote:
> >
> > > We make edits to the log4j advisory almost daily, see
> > > https://github.com/apache/solr-site/commits/e10a6a9fe0eed8dcba3ad1a076c8208e014e76ff/content/solr/security/2021-12-10-cve-2021-44228.md
> > > I wonder if we should include a "Revision history" paragraph in the
> > > advisory for transparency?
> > >
> > > Jan
> > >
> > > 15. des. 2021 kl. 19:09 skrev Uwe Schindler <uwe@thetaphi.de>:
> > >
> > > Hi all, I prepared a PR about the followup CVE-2021-45046:
> > > https://github.com/apache/solr-site/pull/59
> > >
> > > Please verify and make suggestion. I will merge this into
> > > main/production later.
> > >
> > > Uwe
> > >
> > > -----
> > > Uwe Schindler
> > > Achterdiek 19, D-28357 Bremen
> > > https://www.thetaphi.de
> > > eMail: uwe@thetaphi.de
> > >
> > > *From:* Uwe Schindler <uwe@thetaphi.de>
> > > *Sent:* Wednesday, December 15, 2021 3:31 PM
> > > *To:* 'dev@lucene.apache.org' <dev@lucene.apache.org>
> > > *Subject:* RE: Log4j < 2.15.0 may still be vulnerable even if
> > > -Dlog4j2.formatMsgNoLookups=true is set
> > >
> > > We should add this to the webpage. Another one asked on the security
> > > mailing list.
> > >
> > > Uwe
> > >
> > > -----
> > > Uwe Schindler
> > > Achterdiek 19, D-28357 Bremen
> > > https://www.thetaphi.de
> > > eMail: uwe@thetaphi.de
> > >
> > > *From:* Gus Heck <gus.heck@gmail.com>
> > > *Sent:* Wednesday, December 15, 2021 12:39 AM
> > > *To:* dev <dev@lucene.apache.org>
> > > *Subject:* Re: Log4j < 2.15.0 may still be vulnerable even if
> > > -Dlog4j2.formatMsgNoLookups=true is set
> > >
> > > Perhaps we could tweak it to say that the system property fix is
> > > sufficient *for Solr* (i.e. not imply that it is a valid work around for
> > > all cases)
> > >
> > > On Tue, Dec 14, 2021 at 6:20 PM Uwe Schindler <uwe@thetaphi.de> wrote:
> > >
> > > The other attack vectors are also not possible with Solr:
> > >
> > > - Logger.printf("%s", userInput) is not used
> > > - custom message factory is not used
> > >
> > > Uwe
> > > Am 14. Dezember 2021 22:59:26 UTC schrieb Uwe Schindler <uwe@thetaphi.de
> > > > >
> > >
> > > It is still a valid mitigation.
> > >
> > > Mike Drobban I explained it. MDC is the other attack vector and that's
> > > not an issue with Solr.
> > >
> > > Please accept this, just because the documentation of log4j changes,
> > > there's no additional risk. We may update the mitigation to mention that in
> > > Solr's case the system property is fine.
> > >
> > > Uwe
> > > Am 14. Dezember 2021 22:52:29 UTC schrieb solr <fredrik@rodland.no>:
> > >
> > > Ok.
> > >
> > > But FTR - apache/log4j has discredited just setting the system property as a \
> > > mitigation measure, so I still think the SOLR security-page should be changed \
> > > to not list this as a valid mitigation:
> > > https://logging.apache.org/log4j/2.x/security.html
> > > "Older (discredited) mitigation measures
> > >
> > > This page previously mentioned other mitigation measures, but we discovered \
> > > that these measures only limit exposure while leaving some attack vectors open. \
> > > Other insufficient mitigation measures are: setting system property \
> > > log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS \
> > > to true for releases >= 2.10, or modifying the logging configuration to disable \
> > > message lookups with %m{nolookups}, %msg{nolookups} or %message{nolookups} for \
> > > releases >= 2.7 and <= 2.14.1. "
> > >
> > > Regards,
> > >
> > >
> > > Fredrik
> > >
> > >
> > > --
> > > Fredrik Rødland Cell: +47 99 21 98 17
> > > Maisen Pedersens vei 1 Twitter: @fredrikr
> > > NO-1363 Høvik, NORWAY flickr: http://www.flickr.com/fmmr/
> > > http://rodland.no about.me http://about.me/fmr
> > >
> > > On 14 Dec 2021, at 23:44, Mike Drob <mdrob@mdrob.com> wrote:
> > >
> > > The MDC Patterns used by solr are for the collection, shard, replica, core and \
> > > node names, and a potential trace id. All of those are restricted to \
> > > alphanumeric, no special characters like $ or { needed for the injection. And \
> > > trying to access a collection that didn't exist Returns 404 without logging.
> > > Upgrading is always going to be more complete, but I think we're still ok for \
> > > now, at least until the next iteration of this attack surfaces.
> > >
> > >
> > > On Tue, Dec 14, 2021 at 3:37 PM solr <fredrik@rodland.no> wrote:
> > > Only setting -Dlog4j2.formatMsgNoLookups=true might not be enough to mitigate \
> > > the log4j vulnerability.
> > > See https://github.com/kmindi/log4shell-vulnerable-app
> > > "So even with LOG4J_FORMAT_MSG_NO_LOOKUPS true version 2.14.1 of log4j is \
> > > vulnerable when using ThreadContextMap in PatternLayout."
> > > ThreadContext.put(key, value) is used under the hood by MDC. I'm not sure \
> > > wether any user-input is actually stored in MDC in SOLR.
> > >
> > > Probably this should be updated: \
> > > https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228
> > >
> > > And maybe consider releasing patch releases for other versions than 8.11 as \
> > > well which includes log4j 2.16.0?
> > >
> > >
> > > Regards,
> > >
> > >
> > > Fredrik
> > >
> > >
> > > --
> > > Fredrik Rødland Cell: +47 99 21 98 17
> > > Maisen Pedersens vei 1 Twitter: @fredrikr
> > > NO-1363 Høvik, NORWAY flickr: http://www.flickr.com/fmmr/
> > > http://rodland.no about.me http://about.me/fmr
> > >
> > > ------------------------------
> > >
> > > To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
> > > For additional commands, e-mail: dev-help@lucene.apache.org
> > >
> > > ------------------------------
> > >
> > > To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
> > > For additional commands, e-mail: dev-help@lucene.apache.org
> > >
> > > --
> > > Uwe Schindler
> > > Achterdiek 19, 28357 Bremen
> > > https://www.thetaphi.de
> > >
> > > --
> > > Uwe Schindler
> > > Achterdiek 19, 28357 Bremen
> > > https://www.thetaphi.de
> > >
> > >
> > >
> > > --
> > > http://www.needhamsoftware.com (work)
> > > http://www.the111shift.com (play)
> > >
> > >
> > >
> >
> > --
> > http://www.needhamsoftware.com (work)
> > http://www.the111shift.com (play)
> >
>
>
> --
> http://www.needhamsoftware.com (work)
> http://www.the111shift.com (play)
>
[Attachment #3 (text/html)]
<div dir="ltr">I like the idea of using our Wiki more as you describe. Not so \
much *new* news entries because I think search-ability of these CVEs is fine to an \
existing entry.<div><br clear="all"><div><div dir="ltr" class="gmail_signature" \
data-smartmail="gmail_signature"><div dir="ltr">~ David Smiley<div>Apache Lucene/Solr \
Search Developer</div><div><a href="http://www.linkedin.com/in/davidwsmiley" \
target="_blank">http://www.linkedin.com/in/davidwsmiley</a></div></div></div></div><br></div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Dec 18, 2021 at 4:39 PM \
Gus Heck <<a href="mailto:gus.heck@gmail.com">gus.heck@gmail.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div \
dir="ltr">Thinking about it some more, maybe the problem with my suggestion is the \
table on that page is organized by the library version and, if unmitigated, the \
version of the library is still a problem. Maybe another way to be clearer about it \
and avoid rewriting things that people have already read would be to add independent \
entries to the security news page for the newer CVE's</div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Dec 18, 2021 at 12:20 \
PM Gus Heck <<a href="mailto:gus.heck@gmail.com" \
target="_blank">gus.heck@gmail.com</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div \
dir="ltr">I think perhaps in the shock of such a deep and surprising vulnerability \
with such high visibility, we've begun to break with how we normally handle \
CVE's that don't apply to our usage of the library. Previously, they just got \
added to the list of <a \
href="https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools" \
target="_blank">known false positives</a>. Normally we wouldn't even mention them \
on the security news page, but because of the high visibility we should simply have a \
line mentioning that these two CVE's are on our false positives page and explain \
details there. The wiki would provide revision history \
automatically.<br></div><br><div class="gmail_quote"><div dir="ltr" \
class="gmail_attr">On Sat, Dec 18, 2021 at 11:25 AM Jan Høydahl <<a \
href="mailto:jan.asf@cominvent.com" target="_blank">jan.asf@cominvent.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div>We \
make edits to the log4j advisory almost daily, see <a \
href="https://github.com/apache/solr-site/commits/e10a6a9fe0eed8dcba3ad1a076c8208e014e76ff/content/solr/security/2021-12-10-cve-2021-44228.md" \
target="_blank">https://github.com/apache/solr-site/commits/e10a6a9fe0eed8dcba3ad1a076c8208e014e76ff/content/solr/security/2021-12-10-cve-2021-44228.md</a><div>I \
wonder if we should include a "Revision history" paragraph in the advisory \
for transparency?</div><div><br></div><div>Jan<br><div><br><blockquote \
type="cite"><div>15. des. 2021 kl. 19:09 skrev Uwe Schindler <<a \
href="mailto:uwe@thetaphi.de" \
target="_blank">uwe@thetaphi.de</a>>:</div><br><div><div \
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal \
;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><div \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">Hi all, I prepared a PR about the followup CVE-2021-45046:<span> \
</span><a href="https://github.com/apache/solr-site/pull/59" \
style="color:blue;text-decoration:underline" \
target="_blank">https://github.com/apache/solr-site/pull/59</a><u></u><u></u></span></div><div \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US"><u></u> <u></u></span></div><div \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">Please verify and make suggestion. I will merge this into \
main/production later.<u></u><u></u></span></div><div \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US"><u></u> <u></u></span></div><div \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">Uwe<u></u><u></u></span></div><div \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US"><u></u> <u></u></span></div><div><div \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif">-----<u></u><u></u></div><div \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif">Uwe \
Schindler<u></u><u></u></div><div \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif">Achterdiek 19, \
D-28357 Bremen<u></u><u></u></div><div \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><a \
href="https://www.thetaphi.de/" style="color:blue;text-decoration:underline" \
target="_blank">https://www.thetaphi.de</a><u></u><u></u></div><div \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif">eMail:<span> \
</span><a href="mailto:uwe@thetaphi.de" style="color:blue;text-decoration:underline" \
target="_blank">uwe@thetaphi.de</a><u></u><u></u></div></div><div \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span><u></u> \
<u></u></span></div><div style="border-style:none none none \
solid;border-left-width:1.5pt;border-left-color:blue;padding:0cm 0cm 0cm \
4pt"><div><div style="border-style:solid none \
none;border-top-width:1pt;border-top-color:rgb(225,225,225);padding:3pt 0cm 0cm"><div \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><b>From:</b><span> \
</span>Uwe Schindler <<a href="mailto:uwe@thetaphi.de" \
style="color:blue;text-decoration:underline" \
target="_blank">uwe@thetaphi.de</a>><span> </span><br><b>Sent:</b><span> \
</span>Wednesday, December 15, 2021 3:31 PM<br><b>To:</b><span> </span>'<a \
href="mailto:dev@lucene.apache.org" style="color:blue;text-decoration:underline" \
target="_blank">dev@lucene.apache.org</a>' <<a \
href="mailto:dev@lucene.apache.org" style="color:blue;text-decoration:underline" \
target="_blank">dev@lucene.apache.org</a>><br><b>Subject:</b><span> </span>RE: \
Log4j < 2.15.0 may still be vulnerable even if -Dlog4j2.formatMsgNoLookups=true is \
set<u></u><u></u></div></div></div><div \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><u></u> \
<u></u></div><div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">We should add this to the webpage. Another one asked on the security \
mailing list.<u></u><u></u></span></div><div \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US"><u></u> <u></u></span></div><div \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">Uwe<u></u><u></u></span></div><div \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US"><u></u> <u></u></span></div><div \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif">-----<u></u><u></u></div><div \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif">Uwe \
Schindler<u></u><u></u></div><div \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif">Achterdiek 19, \
D-28357 Bremen<u></u><u></u></div><div \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><a \
href="https://www.thetaphi.de/" style="color:blue;text-decoration:underline" \
target="_blank">https://www.thetaphi.de</a><u></u><u></u></div><div \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif">eMail:<span> \
</span><a href="mailto:uwe@thetaphi.de" style="color:blue;text-decoration:underline" \
target="_blank">uwe@thetaphi.de</a><u></u><u></u></div><div \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span><u></u> \
<u></u></span></div><div style="border-style:none none none \
solid;border-left-width:1.5pt;border-left-color:blue;padding:0cm 0cm 0cm \
4pt"><div><div style="border-style:solid none \
none;border-top-width:1pt;border-top-color:rgb(225,225,225);padding:3pt 0cm 0cm"><div \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><b>From:</b><span> \
</span>Gus Heck <<a href="mailto:gus.heck@gmail.com" \
style="color:blue;text-decoration:underline" \
target="_blank">gus.heck@gmail.com</a>><span> </span><br><b>Sent:</b><span> \
</span>Wednesday, December 15, 2021 12:39 AM<br><b>To:</b><span> </span>dev <<a \
href="mailto:dev@lucene.apache.org" style="color:blue;text-decoration:underline" \
target="_blank">dev@lucene.apache.org</a>><br><b>Subject:</b><span> </span>Re: \
Log4j < 2.15.0 may still be vulnerable even if -Dlog4j2.formatMsgNoLookups=true is \
set<u></u><u></u></div></div></div><div \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><u></u> \
<u></u></div><div><div \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif">Perhaps we could \
tweak it to say that the system property fix is sufficient *for Solr* (i.e. not imply \
that it is a valid work around for all cases)<u></u><u></u></div></div><div \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><u></u> \
<u></u></div><div><div><div \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif">On Tue, Dec 14, 2021 \
at 6:20 PM Uwe Schindler <<a href="mailto:uwe@thetaphi.de" \
style="color:blue;text-decoration:underline" target="_blank">uwe@thetaphi.de</a>> \
wrote:<u></u><u></u></div></div><blockquote style="border-style:none none none \
solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0cm 0cm 0cm \
6pt;margin:5pt 0cm 5pt 4.8pt" type="cite"><div><p class="MsoNormal" style="margin:0cm \
0cm 12pt;font-size:11pt;font-family:Calibri,sans-serif">The other attack vectors are \
also not possible with Solr:<br><br>- Logger.printf("%s", userInput) is not \
used<br>- custom message factory is not used<br><br>Uwe<u></u><u></u></p><div><div \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif">Am 14. Dezember 2021 \
22:59:26 UTC schrieb Uwe Schindler <<a href="mailto:uwe@thetaphi.de" \
style="color:blue;text-decoration:underline" \
target="_blank">uwe@thetaphi.de</a>>:<u></u><u></u></div><blockquote \
style="border-style:none none none \
solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0cm 0cm 0cm \
6pt;margin:5pt 0cm 5pt 4.8pt" type="cite"><p class="MsoNormal" style="margin:0cm 0cm \
12pt;font-size:11pt;font-family:Calibri,sans-serif">It is still a valid \
mitigation.<br><br>Mike Drobban I explained it. MDC is the other attack vector and \
that's not an issue with Solr.<br><br>Please accept this, just because the \
documentation of log4j changes, there's no additional risk. We may update the \
mitigation to mention that in Solr's case the system property is \
fine.<br><br>Uwe<u></u><u></u></p><div><div \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif">Am 14. Dezember 2021 \
22:52:29 UTC schrieb solr <<a href="mailto:fredrik@rodland.no" \
style="color:blue;text-decoration:underline" \
target="_blank">fredrik@rodland.no</a>>:<u></u><u></u></div><blockquote \
style="border-style:none none none \
solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0cm 0cm 0cm \
6pt;margin:5pt 0cm 5pt 4.8pt" type="cite"><pre style="margin:0cm 0cm \
12pt;font-size:10pt;font-family:"Courier New"">Ok.<br><br>But FTR - \
apache/log4j has discredited just setting the system property as a mitigation \
measure, so I still think the SOLR security-page should be changed to not list this \
as a valid mitigation:<br><br><a \
href="https://logging.apache.org/log4j/2.x/security.html" \
style="color:blue;text-decoration:underline" \
target="_blank">https://logging.apache.org/log4j/2.x/security.html</a><br>"Older \
(discredited) mitigation measures<br><br>This page previously mentioned other \
mitigation measures, but we discovered that these measures only limit exposure while \
leaving some attack vectors open.<br><br>Other insufficient mitigation measures are: \
setting system property log4j2.formatMsgNoLookups or environment variable \
LOG4J_FORMAT_MSG_NO_LOOKUPS to true for releases >= 2.10, or modifying the logging \
configuration to disable message lookups with %m{nolookups}, %msg{nolookups} or \
%message{nolookups} for releases >= 2.7 and <= \
2.14.1.<br>"<br><br>Regards,<br><br><br>Fredrik<br><br><br>--<br>Fredrik Rødland \
Cell: +47 99 21 98 17<br>Maisen Pedersens vei 1 Twitter: \
@fredrikr<br>NO-1363 Høvik, NORWAY flickr: <a \
href="http://www.flickr.com/fmmr/" style="color:blue;text-decoration:underline" \
target="_blank">http://www.flickr.com/fmmr/</a><br><a href="http://rodland.no/" \
style="color:blue;text-decoration:underline" target="_blank">http://rodland.no</a> \
<a href="http://about.me/" style="color:blue;text-decoration:underline" \
target="_blank">about.me</a> <a href="http://about.me/fmr" \
style="color:blue;text-decoration:underline" \
target="_blank">http://about.me/fmr</a><br><br><u></u><u></u></pre><blockquote \
style="border-style:none none none \
solid;border-left-width:1pt;border-left-color:rgb(114,159,207);padding:0cm 0cm 0cm \
6pt;margin:5pt 0cm 6pt 4.8pt" type="cite"><pre style="margin:0cm 0cm \
0.0001pt;font-size:10pt;font-family:"Courier New"">On 14 Dec 2021, at \
23:44, Mike Drob <<a href="mailto:mdrob@mdrob.com" \
style="color:blue;text-decoration:underline" target="_blank">mdrob@mdrob.com</a>> \
wrote:<br><br>The MDC Patterns used by solr are for the collection, shard, replica, \
core and node names, and a potential trace id. All of those are restricted to \
alphanumeric, no special characters like $ or { needed for the injection. And trying \
to access a collection that didn't exist Returns 404 without \
logging.<br><br>Upgrading is always going to be more complete, but I think we're \
still ok for now, at least until the next iteration of this attack \
surfaces.<br><br><br><br>On Tue, Dec 14, 2021 at 3:37 PM solr <<a \
href="mailto:fredrik@rodland.no" style="color:blue;text-decoration:underline" \
target="_blank">fredrik@rodland.no</a>> wrote:<br>Only setting \
-Dlog4j2.formatMsgNoLookups=true might not be enough to mitigate the log4j \
vulnerability.<br><br>See <a \
href="https://github.com/kmindi/log4shell-vulnerable-app" \
style="color:blue;text-decoration:underline" \
target="_blank">https://github.com/kmindi/log4shell-vulnerable-app</a><br>"So even \
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div \
dir="ltr"><div><a href="http://www.needhamsoftware.com" \
target="_blank">http://www.needhamsoftware.com</a> (work)</div><div><a \
href="http://www.the111shift.com" target="_blank">http://www.the111shift.com</a> \
(play)</div></div></div> </blockquote></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic