Re: Can dovecot be leveraged to exploit Solr/Log4shell?

2021-12-15 Thread John Fawcett
On 15/12/2021 08:52, Aki Tuomi wrote: The suggested configuration is good, and although we did some checking to ensure that dovecot escapes the search queries and usernames sent to solr, so it is not trivial to send the JNDI expansion strings to be logged by solr, it is still good idea to set

Re: Can dovecot be leveraged to exploit Solr/Log4shell?

2021-12-15 Thread Jochen Bern
On 15.12.21 08:45, Alessio Cecchi wrote: SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true" and should be enough to prevent this vulnerability. Possibly not anymore, see CVE-2021-45046 ("re-opened" CVE-2021-44228 for v2 prior to 2.16.0) and CVE-2021-4104 (variant for v1, in the meantime

Re: Can dovecot be leveraged to exploit Solr/Log4shell?

2021-12-14 Thread Aki Tuomi
The suggested configuration is good, and although we did some checking to ensure that dovecot escapes the search queries and usernames sent to solr, so it is not trivial to send the JNDI expansion strings to be logged by solr, it is still good idea to set this. Aki > On 15/12/2021 09:45

Re: Can dovecot be leveraged to exploit Solr/Log4shell?

2021-12-14 Thread Alessio Cecchi
Hi, for Solr you can edit your solr.in.sh file to include: SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true" and should be enough to prevent this vulnerability. Ciao Il 13/12/21 23:43, Joseph Tam ha scritto: I'm surprised I haven't seen this mentioned yet. An internet red alert went

Re: Can dovecot be leveraged to exploit Solr/Log4shell?

2021-12-14 Thread John Fawcett
On 14/12/2021 03:23, Scott wrote: Is this assuming you log at some verbose level ? What if you log at WARN or higher ? For production it seems kind of silly to log search queries anyways. Scott It's a pretty much standard install where most things are at INFO level. Probably could turn it

RE: Can dovecot be leveraged to exploit Solr/Log4shell?

2021-12-13 Thread Aki Tuomi
ot On Behalf Of John Fawcett > Sent: Monday, December 13, 2021 8:52 PM > To: dovecot@dovecot.org > Subject: Re: Can dovecot be leveraged to exploit Solr/Log4shell? > > On 13/12/2021 23:43, Joseph Tam wrote: > > > > I'm surprised I haven't seen this mentioned yet. > >

RE: Can dovecot be leveraged to exploit Solr/Log4shell?

2021-12-13 Thread Scott
Subject: Re: Can dovecot be leveraged to exploit Solr/Log4shell? On 13/12/2021 23:43, Joseph Tam wrote: > > I'm surprised I haven't seen this mentioned yet. > > An internet red alert went out Friday on a new zero-day exploit. It is > an input validation problem where Java's L

Re: Can dovecot be leveraged to exploit Solr/Log4shell?

2021-12-13 Thread John Fawcett
On 13/12/2021 23:43, Joseph Tam wrote: I'm surprised I haven't seen this mentioned yet. An internet red alert went out Friday on a new zero-day exploit. It is an input validation problem where Java's Log4j module can be instructed via a specially crafted string to fetch and execute code from a

Can dovecot be leveraged to exploit Solr/Log4shell?

2021-12-13 Thread Joseph Tam
I'm surprised I haven't seen this mentioned yet. An internet red alert went out Friday on a new zero-day exploit. It is an input validation problem where Java's Log4j module can be instructed via a specially crafted string to fetch and execute code from a remote LDAP server. It has been