Thanks Tim, Sounds good. Just checking, I suppose this option needs to be added explicitly to <server/>, <pipes/> and <async/> to override the default settings, even if these are not specified at all in tikaConfig.xml, is that right?
On Sat, Dec 11, 2021 at 2:05 PM Tim Allison <[email protected]> wrote: > Cristian, > Until the next release, you can add: -Dlog4j2.formatMsgNoLookups=true. > > If you're running Tika server in 1.x with spawnChild mode, add > -JDlog4j2.formatMsgNoLookups=true > In 2.x add -Dlog4j2.formatMsgNoLookups=true to the forkedJvmArgs > element in the <server/>, <pipes/> and <async/> elements in > tikaConfig.xml > > On Sat, Dec 11, 2021 at 3:42 AM Cristian Zamfir <[email protected]> > wrote: > > > > It would be great to also update the Docker containers, it is a critical > > vulnerability IMO. Thanks! > > > > > > On Fri, Dec 10, 2021 at 5:41 PM Tim Allison <[email protected]> wrote: > > > > > All, > > > As you've probably heard, a dire rce was recently announced in > > > log4j2. I suspect it would be fairly easy to develop a PoC to show > > > that we're vulnerable. It isn't as straightforward as webapps that > > > are logging direct user input, but I don't think it would take much. > > > Should we push for a 2.x release in the next few days? > > > > > > Best, > > > > > > Tim > > > > > -- > > Cristian Zamfir > > Co-founder/VP of Reliability and Security - Cyberhaven > > https://cyberhaven.com > > https://www.linkedin.com/in/cristizamfir/ > > Mobile: +41 (798) 241-698 / +1 (617) 651-1306 >
