You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@solr.apache.org by David Smiley <ds...@apache.org> on 2021/12/12 22:16:38 UTC
Risks of Log4j 2 with the Prometheus Exporter?
Just a simple question here -- does the Prometheus Exporter present a risk
for the Log4j 2 vulnerability? It was added to the news page but
instinctively I don't see how an attacker might exploit it. If it's not
expected to be a concern, I think we should state so in the news; no reason
to raise undue alarm bells. Maybe we should remove it.
~ David Smiley
Apache Lucene/Solr Search Developer
http://www.linkedin.com/in/davidwsmiley
Re: Risks of Log4j 2 with the Prometheus Exporter?
Posted by David Smiley <ds...@apache.org>.
I created a new one actually: https://github.com/apache/solr-site/pull/55
~ David Smiley
Apache Lucene/Solr Search Developer
http://www.linkedin.com/in/davidwsmiley
On Mon, Dec 13, 2021 at 7:39 PM David Smiley <ds...@apache.org> wrote:
> Correct. I just reviewed occurrences of log.info, log.warn etc. and it's
> all boring stuff that definitely doesn't take user input.
>
> I'm going to remove this from the news in my PR:
> https://github.com/apache/solr-site/pull/54
>
> ~ David Smiley
> Apache Lucene/Solr Search Developer
> http://www.linkedin.com/in/davidwsmiley
>
>
> On Mon, Dec 13, 2021 at 7:07 PM Cassandra Targett <ca...@gmail.com>
> wrote:
>
>> Can someone explain why it’s no risk & can’t be exploited? Because it
>> doesn’t take input?
>> On Dec 12, 2021, 4:26 PM -0600, Uwe Schindler <uw...@thetaphi.de>, wrote:
>>
>> +1
>>
>> I was wondering about this, too. It makes mitigation too complex. There
>> is no risk in the exporter script. Just mention this as a single sentence.
>>
>> Possibly also add the sentence u declining the importance and why in my
>> previous message on private list.
>>
>> Am 12. Dezember 2021 22:16:38 UTC schrieb David Smiley <
>> dsmiley@apache.org>:
>>>
>>> Just a simple question here -- does the Prometheus Exporter present a
>>> risk for the Log4j 2 vulnerability? It was added to the news page but
>>> instinctively I don't see how an attacker might exploit it. If it's not
>>> expected to be a concern, I think we should state so in the news; no reason
>>> to raise undue alarm bells. Maybe we should remove it.
>>>
>>> ~ David Smiley
>>> Apache Lucene/Solr Search Developer
>>> http://www.linkedin.com/in/davidwsmiley
>>>
>> --
>> Uwe Schindler
>> Achterdiek 19, 28357 Bremen
>> https://www.thetaphi.de
>>
>>
Re: Risks of Log4j 2 with the Prometheus Exporter?
Posted by David Smiley <ds...@apache.org>.
Correct. I just reviewed occurrences of log.info, log.warn etc. and it's
all boring stuff that definitely doesn't take user input.
I'm going to remove this from the news in my PR:
https://github.com/apache/solr-site/pull/54
~ David Smiley
Apache Lucene/Solr Search Developer
http://www.linkedin.com/in/davidwsmiley
On Mon, Dec 13, 2021 at 7:07 PM Cassandra Targett <ca...@gmail.com>
wrote:
> Can someone explain why it’s no risk & can’t be exploited? Because it
> doesn’t take input?
> On Dec 12, 2021, 4:26 PM -0600, Uwe Schindler <uw...@thetaphi.de>, wrote:
>
> +1
>
> I was wondering about this, too. It makes mitigation too complex. There is
> no risk in the exporter script. Just mention this as a single sentence.
>
> Possibly also add the sentence u declining the importance and why in my
> previous message on private list.
>
> Am 12. Dezember 2021 22:16:38 UTC schrieb David Smiley <ds...@apache.org>:
>
>>
>> Just a simple question here -- does the Prometheus Exporter present a
>> risk for the Log4j 2 vulnerability? It was added to the news page but
>> instinctively I don't see how an attacker might exploit it. If it's not
>> expected to be a concern, I think we should state so in the news; no reason
>> to raise undue alarm bells. Maybe we should remove it.
>>
>> ~ David Smiley
>> Apache Lucene/Solr Search Developer
>> http://www.linkedin.com/in/davidwsmiley
>>
> --
> Uwe Schindler
> Achterdiek 19, 28357 Bremen
> https://www.thetaphi.de
>
>
Re: Risks of Log4j 2 with the Prometheus Exporter?
Posted by Cassandra Targett <ca...@gmail.com>.
Can someone explain why it’s no risk & can’t be exploited? Because it doesn’t take input?
On Dec 12, 2021, 4:26 PM -0600, Uwe Schindler <uw...@thetaphi.de>, wrote:
> +1
>
> I was wondering about this, too. It makes mitigation too complex. There is no risk in the exporter script. Just mention this as a single sentence.
>
> Possibly also add the sentence u declining the importance and why in my previous message on private list.
>
> > Am 12. Dezember 2021 22:16:38 UTC schrieb David Smiley <ds...@apache.org>:
> > > Just a simple question here -- does the Prometheus Exporter present a risk for the Log4j 2 vulnerability? It was added to the news page but instinctively I don't see how an attacker might exploit it. If it's not expected to be a concern, I think we should state so in the news; no reason to raise undue alarm bells. Maybe we should remove it.
> > >
> > > ~ David Smiley
> > > Apache Lucene/Solr Search Developer
> > > http://www.linkedin.com/in/davidwsmiley
> --
> Uwe Schindler
> Achterdiek 19, 28357 Bremen
> https://www.thetaphi.de
Re: Risks of Log4j 2 with the Prometheus Exporter?
Posted by Uwe Schindler <uw...@thetaphi.de>.
+1
I was wondering about this, too. It makes mitigation too complex. There is no risk in the exporter script. Just mention this as a single sentence.
Possibly also add the sentence u declining the importance and why in my previous message on private list.
Am 12. Dezember 2021 22:16:38 UTC schrieb David Smiley <ds...@apache.org>:
>Just a simple question here -- does the Prometheus Exporter present a risk
>for the Log4j 2 vulnerability? It was added to the news page but
>instinctively I don't see how an attacker might exploit it. If it's not
>expected to be a concern, I think we should state so in the news; no reason
>to raise undue alarm bells. Maybe we should remove it.
>
>~ David Smiley
>Apache Lucene/Solr Search Developer
>http://www.linkedin.com/in/davidwsmiley
--
Uwe Schindler
Achterdiek 19, 28357 Bremen
https://www.thetaphi.de