Cristian, Until the next release, you can add: -Dlog4j2.formatMsgNoLookups=true.
If you're running Tika server in 1.x with spawnChild mode, add -JDlog4j2.formatMsgNoLookups=true In 2.x add -Dlog4j2.formatMsgNoLookups=true to the forkedJvmArgs element in the <server/>, <pipes/> and <async/> elements in tikaConfig.xml On Sat, Dec 11, 2021 at 3:42 AM Cristian Zamfir <[email protected]> wrote: > > It would be great to also update the Docker containers, it is a critical > vulnerability IMO. Thanks! > > > On Fri, Dec 10, 2021 at 5:41 PM Tim Allison <[email protected]> wrote: > > > All, > > As you've probably heard, a dire rce was recently announced in > > log4j2. I suspect it would be fairly easy to develop a PoC to show > > that we're vulnerable. It isn't as straightforward as webapps that > > are logging direct user input, but I don't think it would take much. > > Should we push for a 2.x release in the next few days? > > > > Best, > > > > Tim > > > -- > Cristian Zamfir > Co-founder/VP of Reliability and Security - Cyberhaven > https://cyberhaven.com > https://www.linkedin.com/in/cristizamfir/ > Mobile: +41 (798) 241-698 / +1 (617) 651-1306
