The MDC Patterns used by solr are for the collection, shard, replica, core and node names, and a potential trace id. All of those are restricted to alphanumeric, no special characters like $ or { needed for the injection. And trying to access a collection that didn’t exist Returns 404 without logging.
Upgrading is always going to be more complete, but I think we’re still ok for now, at least until the next iteration of this attack surfaces. On Tue, Dec 14, 2021 at 3:37 PM solr <fred...@rodland.no> wrote: > Only setting -Dlog4j2.formatMsgNoLookups=true might not be enough to > mitigate the log4j vulnerability. > > See https://github.com/kmindi/log4shell-vulnerable-app > “So even with LOG4J_FORMAT_MSG_NO_LOOKUPS true version 2.14.1 of log4j is > vulnerable when using ThreadContextMap in PatternLayout.” > > ThreadContext.put(key, value) is used under the hood by MDC. I’m not sure > wether any user-input is actually stored in MDC in SOLR. > > > Probably this should be updated: > https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 > > And maybe consider releasing patch releases for other versions than 8.11 > as well which includes log4j 2.16.0? > > > > Regards, > > > Fredrik > > > -- > Fredrik Rødland Cell: +47 99 21 98 17 > Maisen Pedersens vei 1 Twitter: @fredrikr > NO-1363 Høvik, NORWAY flickr: http://www.flickr.com/fmmr/ > http://rodland.no about.me http://about.me/fmr > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org > For additional commands, e-mail: dev-h...@lucene.apache.org > >