I created a new one actually: https://github.com/apache/solr-site/pull/55
~ David Smiley Apache Lucene/Solr Search Developer http://www.linkedin.com/in/davidwsmiley On Mon, Dec 13, 2021 at 7:39 PM David Smiley <dsmi...@apache.org> wrote: > Correct. I just reviewed occurrences of log.info, log.warn etc. and it's > all boring stuff that definitely doesn't take user input. > > I'm going to remove this from the news in my PR: > https://github.com/apache/solr-site/pull/54 > > ~ David Smiley > Apache Lucene/Solr Search Developer > http://www.linkedin.com/in/davidwsmiley > > > On Mon, Dec 13, 2021 at 7:07 PM Cassandra Targett <casstarg...@gmail.com> > wrote: > >> Can someone explain why it’s no risk & can’t be exploited? Because it >> doesn’t take input? >> On Dec 12, 2021, 4:26 PM -0600, Uwe Schindler <u...@thetaphi.de>, wrote: >> >> +1 >> >> I was wondering about this, too. It makes mitigation too complex. There >> is no risk in the exporter script. Just mention this as a single sentence. >> >> Possibly also add the sentence u declining the importance and why in my >> previous message on private list. >> >> Am 12. Dezember 2021 22:16:38 UTC schrieb David Smiley < >> dsmi...@apache.org>: >>> >>> Just a simple question here -- does the Prometheus Exporter present a >>> risk for the Log4j 2 vulnerability? It was added to the news page but >>> instinctively I don't see how an attacker might exploit it. If it's not >>> expected to be a concern, I think we should state so in the news; no reason >>> to raise undue alarm bells. Maybe we should remove it. >>> >>> ~ David Smiley >>> Apache Lucene/Solr Search Developer >>> http://www.linkedin.com/in/davidwsmiley >>> >> -- >> Uwe Schindler >> Achterdiek 19, 28357 Bremen >> https://www.thetaphi.de >> >>
