[
https://issues.apache.org/jira/browse/OFBIZ-12646?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-12646:
------------------------------------
Summary: Java Deserialization vulnerability in Apache OfBiz (was: Sorl
external logging is not working, but a bit in console)
> Java Deserialization vulnerability in Apache OfBiz
> --------------------------------------------------
>
> Key: OFBIZ-12646
> URL: https://issues.apache.org/jira/browse/OFBIZ-12646
> Project: OFBiz
> Issue Type: Bug
> Components: solr
> Reporter: Jacques Le Roux
> Priority: Major
>
> The "internal logging" accessbile in Solr admin page works well. It's
> sufficient to give the more important info. This was lastly done by
> OFBIZ-6858.
> While working on Solr 9.0.0 I needed the "external logging" (solr.log file)
> with the possibility to see what's happen before you get to the Solr admin
> page. There is already some more information in console but not what I really
> need.
> Currently OFBizSolrContextFilter class uses system properties to handle
> logging. I don't know if it has ever worked but clearly now env var are
> needed:
> https://solr.apache.org/guide/7_4/configuring-logging.html#permanent-logging-settings
> notably SOLR_LOGS_DIR. This could be useful too
> https://solr.apache.org/guide/7_4/taking-solr-to-production.html#log-settings
> (LOG4J_PROPS)
> An alternative is toset Sorl logging in standard OFBiz log4j2.xml.
> I'm not sure we need to specify the path for Solr. If so a solution could be
> to follow
> https://logging.apache.org/log4j/2.x/manual/configuration.html#Composite_Configuration
> by using the LOG4J_CONFIGURATION_FILE env var.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
