I created a new one actually: https://github.com/apache/solr-site/pull/55
~ David Smiley Apache Lucene/Solr Search Developer http://www.linkedin.com/in/davidwsmiley On Mon, Dec 13, 2021 at 7:39 PM David Smiley <[email protected]> wrote: > Correct. I just reviewed occurrences of log.info, log.warn etc. and it's > all boring stuff that definitely doesn't take user input. > > I'm going to remove this from the news in my PR: > https://github.com/apache/solr-site/pull/54 > > ~ David Smiley > Apache Lucene/Solr Search Developer > http://www.linkedin.com/in/davidwsmiley > > > On Mon, Dec 13, 2021 at 7:07 PM Cassandra Targett <[email protected]> > wrote: > >> Can someone explain why it’s no risk & can’t be exploited? Because it >> doesn’t take input? >> On Dec 12, 2021, 4:26 PM -0600, Uwe Schindler <[email protected]>, wrote: >> >> +1 >> >> I was wondering about this, too. It makes mitigation too complex. There >> is no risk in the exporter script. Just mention this as a single sentence. >> >> Possibly also add the sentence u declining the importance and why in my >> previous message on private list. >> >> Am 12. Dezember 2021 22:16:38 UTC schrieb David Smiley < >> [email protected]>: >>> >>> Just a simple question here -- does the Prometheus Exporter present a >>> risk for the Log4j 2 vulnerability? It was added to the news page but >>> instinctively I don't see how an attacker might exploit it. If it's not >>> expected to be a concern, I think we should state so in the news; no reason >>> to raise undue alarm bells. Maybe we should remove it. >>> >>> ~ David Smiley >>> Apache Lucene/Solr Search Developer >>> http://www.linkedin.com/in/davidwsmiley >>> >> -- >> Uwe Schindler >> Achterdiek 19, 28357 Bremen >> https://www.thetaphi.de >> >>
