+1 I was wondering about this, too. It makes mitigation too complex. There is no risk in the exporter script. Just mention this as a single sentence.
Possibly also add the sentence u declining the importance and why in my previous message on private list. Am 12. Dezember 2021 22:16:38 UTC schrieb David Smiley <dsmi...@apache.org>: >Just a simple question here -- does the Prometheus Exporter present a risk >for the Log4j 2 vulnerability? It was added to the news page but >instinctively I don't see how an attacker might exploit it. If it's not >expected to be a concern, I think we should state so in the news; no reason >to raise undue alarm bells. Maybe we should remove it. > >~ David Smiley >Apache Lucene/Solr Search Developer >http://www.linkedin.com/in/davidwsmiley -- Uwe Schindler Achterdiek 19, 28357 Bremen https://www.thetaphi.de
