Closed rombaum closed 2 years ago
Hi, as far as we know this isn't an issue for OLS because:
The Docker image uses Solr 5.3.x, which also seems to use Log4j 1.x:
[solr-5.3.0]$ find . | grep log4j
[..]
./server/lib/ext/log4j-1.2.17.jar
./server/lib/ext/slf4j-log4j12-1.7.7.jar
./licenses/log4j-1.2.17.jar.sha1
[..]
Hi @udp
thank for your reply. First of all that sounds good. But I found this:
Log4j version 1.x is not directly vulnerable, because it does not offer a JNDI look up mechanism. However, Log4j 1.x comes with JMSAppender, which will perform a JNDI lookup if enabled in Log4j's configuration file (i.e., log4j.properties or log4j.xml). Thus, an attacker who can write to an application's Log4j configuration file can perform a remote code execution attack whenever Log4j 1.x reads its malicious configuration file. Source: https://www.technology.pitt.edu/content/additional-guidance-regarding-log4j-vulnerability
Is the JMSAppender disabled in OLS/OxO?
an attacker who can write to an application's Log4j configuration file
If an attacker can write to your configuration files, you're toast anyway...
Dear OLS team, Dear @henrietteharmse, Dear @udp,
did you think there are any problems in context of the Log4j security issues for OLS? OLS is using an older version of Apache Solr. As far as I know that is a problem because Solr uses Log4j. That sounds for me it could be critical to use OLS.
So is there a way to upgrade or disable this functionality to get rid of the risk of this issue?
I'm looking forward,
Roman