RE: Log4J RCE vulnerability

2021-12-10 Thread Uwe Schindler
ginal Message- > From: Jason Gerlowski > Sent: Friday, December 10, 2021 7:16 PM > To: dev@solr.apache.org > Subject: Re: Log4J RCE vulnerability > > Does anyone know whether ZooKeeper is affected at all? I checked > their mailing list archive this morning to see if there was

Re: Log4J RCE vulnerability

2021-12-10 Thread Jason Gerlowski
eeting this, too. > > > > Uwe > > > > - > > Uwe Schindler > > Achterdiek 19, D-28357 Bremen > > https://www.thetaphi.de > > eMail: u...@thetaphi.de > > > > From: Cassandra Targett > Sent: Friday, December 10, 2021 5:13 PM > To: de

RE: Log4J RCE vulnerability

2021-12-10 Thread Uwe Schindler
information on mailing list, too. I am tweeting this, too. Uwe - Uwe Schindler Achterdiek 19, D-28357 Bremen https://www.thetaphi.de eMail: u...@thetaphi.de From: Cassandra Targett Sent: Friday, December 10, 2021 5:13 PM To: dev@solr.apache.org Subject: RE: Log4J RCE vulnerability

Re: Log4J RCE vulnerability

2021-12-10 Thread Mike Drob
ould be fixed and by default all expansions on > log messages were disabled: > https://issues.apache.org/jira/browse/LOG4J2-3198 > > - > Uwe Schindler > Achterdiek 19, D-28357 Bremen > <https://www.google.com/maps/search/Achterdiek+19,+D-28357+Bremen?entry=gmail&source=g>

RE: Log4J RCE vulnerability

2021-12-10 Thread Cassandra Targett
project-specific CVE.” > > Uwe > > - > Uwe Schindler > Achterdiek 19, D-28357 Bremen > https://www.thetaphi.de > eMail: u...@thetaphi.de > > From: Gus Heck > Sent: Friday, December 10, 2021 1:32 PM > To: dev@solr.apache.org > Subject: Re: Log4J RCE vulnerability

RE: Log4J RCE vulnerability

2021-12-10 Thread Uwe Schindler
- Uwe Schindler Achterdiek 19, D-28357 Bremen https://www.thetaphi.de eMail: u...@thetaphi.de From: Gus Heck Sent: Friday, December 10, 2021 1:32 PM To: dev@solr.apache.org Subject: Re: Log4J RCE vulnerability In progress already it seems <https://issues.apache.org/jira/bro

Re: Log4J RCE vulnerability

2021-12-10 Thread Gus Heck
men >> https://www.thetaphi.de >> eMail: u...@thetaphi.de >> >> > -Original Message- >> > From: Uwe Schindler >> > Sent: Friday, December 10, 2021 11:10 AM >> > To: dev@solr.apache.org >> > Subject: RE: Log4J RCE vulnerability >>

Re: Log4J RCE vulnerability

2021-12-10 Thread Gus Heck
n? > > > > Man man, SNEAKY log4j!!! 😊 > > > > Uwe > > > > - > > Uwe Schindler > > Achterdiek 19, D-28357 Bremen > > https://www.thetaphi.de > > eMail: u...@thetaphi.de > > > > > -Original Message- > > > Fr

RE: Log4J RCE vulnerability

2021-12-10 Thread Uwe Schindler
m: Uwe Schindler > Sent: Friday, December 10, 2021 11:10 AM > To: dev@solr.apache.org > Subject: RE: Log4J RCE vulnerability > > In general the sysprop "log4j2.formatMsgNoLookups=true" fix is the only > correct fix (maybe add it to the bootstrap class of solr). Updating log

Re: Log4J RCE vulnerability

2021-12-10 Thread Bram Van Dam
On 10/12/2021 11.10, Uwe Schindler wrote: In general the sysprop "log4j2.formatMsgNoLookups=true" fix is the only correct fix (maybe add it to the bootstrap class of solr). Updating log4j is not really needed. This prevents any of those shit. There's no reason ever to parse ${} escapes in log

RE: Log4J RCE vulnerability

2021-12-10 Thread Uwe Schindler
essage- > From: Uwe Schindler > Sent: Friday, December 10, 2021 10:35 AM > To: dev@solr.apache.org > Subject: RE: Log4J RCE vulnerability > > Hi, > > I did some checks: > - The problem also exists with logging parameters, so it is also executed if > you >

RE: Log4J RCE vulnerability

2021-12-10 Thread Uwe Schindler
Hi, I did some checks: - The problem also exists with logging parameters, so it is also executed if you call (which is IMHO a design failure in log4j, the reason for this is that the expansion is happending on printing the complete formatted log string to the output file): logger.info("Foobar: