Correct. I just reviewed occurrences of log.info, log.warn etc. and it's all boring stuff that definitely doesn't take user input.
I'm going to remove this from the news in my PR: https://github.com/apache/solr-site/pull/54 ~ David Smiley Apache Lucene/Solr Search Developer http://www.linkedin.com/in/davidwsmiley On Mon, Dec 13, 2021 at 7:07 PM Cassandra Targett <casstarg...@gmail.com> wrote: > Can someone explain why it’s no risk & can’t be exploited? Because it > doesn’t take input? > On Dec 12, 2021, 4:26 PM -0600, Uwe Schindler <u...@thetaphi.de>, wrote: > > +1 > > I was wondering about this, too. It makes mitigation too complex. There is > no risk in the exporter script. Just mention this as a single sentence. > > Possibly also add the sentence u declining the importance and why in my > previous message on private list. > > Am 12. Dezember 2021 22:16:38 UTC schrieb David Smiley <dsmi...@apache.org>: > >> >> Just a simple question here -- does the Prometheus Exporter present a >> risk for the Log4j 2 vulnerability? It was added to the news page but >> instinctively I don't see how an attacker might exploit it. If it's not >> expected to be a concern, I think we should state so in the news; no reason >> to raise undue alarm bells. Maybe we should remove it. >> >> ~ David Smiley >> Apache Lucene/Solr Search Developer >> http://www.linkedin.com/in/davidwsmiley >> > -- > Uwe Schindler > Achterdiek 19, 28357 Bremen > https://www.thetaphi.de > >
