[
https://issues.apache.org/jira/browse/TIKA-3616?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17460168#comment-17460168
]
Konstantin Gribov commented on TIKA-3616:
-----------------------------------------
I looked a bit how Tika and it's upstream dependencies use
{{MDC}}/{{ThreadContext}} which are vulnerable in 2.15 and Tika and deps use
them quite sparsely (as far as IntelliJ IDEA sees usages).
{{solrj}} puts Solr client URL into MDC, Zookeeper puts node id from config
file into MDC and UIMA puts some ids into it which doesn't seem to be
user-generated at least in Tika.
Also {{testcontainers}} use MDC but only in {{test}} scope.
> Upgrade log4j2
> --------------
>
> Key: TIKA-3616
> URL: https://issues.apache.org/jira/browse/TIKA-3616
> Project: Tika
> Issue Type: Task
> Reporter: Tim Allison
> Priority: Major
> Fix For: 2.1.1
>
>
> RCE...might be difficult to trigger in Tika, but why ask for a PoC...
> This only affects 2.x. We were still using the old log4j in 1.x
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
