Can someone explain why it’s no risk & can’t be exploited? Because it doesn’t
take input?
On Dec 12, 2021, 4:26 PM -0600, Uwe Schindler <u...@thetaphi.de>, wrote:
> +1
>
> I was wondering about this, too. It makes mitigation too complex. There is no
> risk in the exporter script. Just mention this as a single sentence.
>
> Possibly also add the sentence u declining the importance and why in my
> previous message on private list.
>
> > Am 12. Dezember 2021 22:16:38 UTC schrieb David Smiley <dsmi...@apache.org>:
> > > Just a simple question here -- does the Prometheus Exporter present a
> > > risk for the Log4j 2 vulnerability? It was added to the news page but
> > > instinctively I don't see how an attacker might exploit it. If it's not
> > > expected to be a concern, I think we should state so in the news; no
> > > reason to raise undue alarm bells. Maybe we should remove it.
> > >
> > > ~ David Smiley
> > > Apache Lucene/Solr Search Developer
> > > http://www.linkedin.com/in/davidwsmiley
> --
> Uwe Schindler
> Achterdiek 19, 28357 Bremen
> https://www.thetaphi.de
