Or, I should have said: yes if you're using pipes and/or async.
On Sun, Dec 12, 2021 at 4:59 AM Cristian Zamfir <[email protected]> wrote: > > Thanks Tim, > Sounds good. Just checking, I suppose this option needs to be added > explicitly to <server/>, <pipes/> and <async/> to override the default > settings, even if these are not specified at all in tikaConfig.xml, is that > right? > > > > On Sat, Dec 11, 2021 at 2:05 PM Tim Allison <[email protected]> wrote: > > > Cristian, > > Until the next release, you can add: -Dlog4j2.formatMsgNoLookups=true. > > > > If you're running Tika server in 1.x with spawnChild mode, add > > -JDlog4j2.formatMsgNoLookups=true > > In 2.x add -Dlog4j2.formatMsgNoLookups=true to the forkedJvmArgs > > element in the <server/>, <pipes/> and <async/> elements in > > tikaConfig.xml > > > > On Sat, Dec 11, 2021 at 3:42 AM Cristian Zamfir <[email protected]> > > wrote: > > > > > > It would be great to also update the Docker containers, it is a critical > > > vulnerability IMO. Thanks! > > > > > > > > > On Fri, Dec 10, 2021 at 5:41 PM Tim Allison <[email protected]> wrote: > > > > > > > All, > > > > As you've probably heard, a dire rce was recently announced in > > > > log4j2. I suspect it would be fairly easy to develop a PoC to show > > > > that we're vulnerable. It isn't as straightforward as webapps that > > > > are logging direct user input, but I don't think it would take much. > > > > Should we push for a 2.x release in the next few days? > > > > > > > > Best, > > > > > > > > Tim > > > > > > > -- > > > Cristian Zamfir > > > Co-founder/VP of Reliability and Security - Cyberhaven > > > https://cyberhaven.com > > > https://www.linkedin.com/in/cristizamfir/ > > > Mobile: +41 (798) 241-698 / +1 (617) 651-1306 > >
