Hi, Solr does use MDC (the %X pattern), but the values are not user generated and all come from config files and are enforced to comply to certain formats (e.g., no $ possible). Shard, replica, collection names are sanitized.
In short all fine, no need to change the mitigation instructions. There is also no need to update log4j in older versions of Solr. Uwe Am 14. Dezember 2021 21:10:26 UTC schrieb solr <[email protected]>: >Only setting -Dlog4j2.formatMsgNoLookups=true might not be enough to mitigate >the log4j vulnerability. > >See https://github.com/kmindi/log4shell-vulnerable-app >“So even with LOG4J_FORMAT_MSG_NO_LOOKUPS true version 2.14.1 of log4j is >vulnerable when using ThreadContextMap in PatternLayout.” > >ThreadContext.put(key, value) is used under the hood by MDC. I’m not sure >wether any user-input is actually stored in MDC in SOLR. > > >Probably this should be updated: >https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 > >And maybe consider releasing patch releases for other versions than 8.11 as >well which includes log4j 2.16.0? > > > >Regards, > > >Fredrik > > >-- >Fredrik Rødland Cell: +47 99 21 98 17 >Maisen Pedersens vei 1 Twitter: @fredrikr >NO-1363 Høvik, NORWAY flickr: http://www.flickr.com/fmmr/ >http://rodland.no about.me http://about.me/fmr > > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [email protected] >For additional commands, e-mail: [email protected] > -- Uwe Schindler Achterdiek 19, 28357 Bremen https://www.thetaphi.de
