mario-canva edited a comment on pull request #454:
URL: https://github.com/apache/solr/pull/454#issuecomment-994124565
Thanks @uschindler appreciate the quick response! However, their advisory
also states other attack vectors may be possible:
> The reason these measures are insufficient is that, in addition to the
Thread Context attack vector mentioned above, there are still code paths in
Log4j where message lookups could occur: known examples are applications that
use Logger.printf("%s", userInput), or applications that use a custom message
factory, where the resulting messages do not implement
StringBuilderFormattable. There may be other attack vectors.
At the moment we are going with the mitigation they suggested here:
> remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class
Although, if we could have a patch for 7.7.3 to upgrade the log4j version
for 2.16.0 that would be best.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
