ppkarwasz commented on PR #195: URL: https://github.com/apache/solr-site/pull/195#issuecomment-4738494512
My overall assessment is that the streak of CVEs we released in April has marginal impact on Solr 9.10.1 (or Solr 10.0.0) and does not, by itself, warrant a new release. The users who could be impacted fall into two groups: - the rare category that reconfigures Solr to log to a syslog server, and - the non-existent category that uses XML as its logging format. All of these CVEs concern the resilience of the logging pipeline, with a worst case of a SIEM crashing on invalid input, logs being mangled, or logs being intercepted by an adversary with MitM capability. They matter to users who have very high requirements for log integrity, whereas most users are content to parse the non-machine-readable output of `PatternLayout` and are unbothered when the occasional line fails to parse. We had to publish these CVEs because suitability for audit logging is one of the features that sets Log4j Core apart from the much simpler Logback. But the message for most users is the same: you would have to tighten your logging hygiene and customize Solr quite heavily before any of these CVEs has a visible impact. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
