[ https://issues.apache.org/jira/browse/TIKA-3616?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17460168#comment-17460168 ]
Konstantin Gribov commented on TIKA-3616: ----------------------------------------- I looked a bit how Tika and it's upstream dependencies use {{MDC}}/{{ThreadContext}} which are vulnerable in 2.15 and Tika and deps use them quite sparsely (as far as IntelliJ IDEA sees usages). {{solrj}} puts Solr client URL into MDC, Zookeeper puts node id from config file into MDC and UIMA puts some ids into it which doesn't seem to be user-generated at least in Tika. Also {{testcontainers}} use MDC but only in {{test}} scope. > Upgrade log4j2 > -------------- > > Key: TIKA-3616 > URL: https://issues.apache.org/jira/browse/TIKA-3616 > Project: Tika > Issue Type: Task > Reporter: Tim Allison > Priority: Major > Fix For: 2.1.1 > > > RCE...might be difficult to trigger in Tika, but why ask for a PoC... > This only affects 2.x. We were still using the old log4j in 1.x -- This message was sent by Atlassian Jira (v8.20.1#820001)