[
https://issues.apache.org/jira/browse/SOLR-18097?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18059064#comment-18059064
]
Piotr Karwasz commented on SOLR-18097:
--------------------------------------
The default Solr logging configuration is *not* affected by CVE-2025-68161. And
even if it were the vulnerability would be far from a priority. Basically, the
CVE says that if an attacker has *man-in-the-middle* capability, your logging
pipeline might be affected. However, in the case of a MITM capability, there
are many other more critical services that can be affected.
I'll take a look at the VEX-generating workflows this week.
> Log4j Upgrade: 2.17.2 → 2.25.3 (CVE-2025-68161 Remediation) Confirmation on
> remediation
> ---------------------------------------------------------------------------------------
>
> Key: SOLR-18097
> URL: https://issues.apache.org/jira/browse/SOLR-18097
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: SolrCloud
> Affects Versions: 8.4
> Reporter: Aviral Sinha
> Priority: Blocker
>
> _*Given that we do not utilize socket appenders or any network-based logging
> mechanisms, we believe that vulnerabilities specifically targeting the
> transmission of logs over the network (such as those requiring a Socket
> Appender to be active) are not applicable to our current architecure.*_
>
> Could you please confirm if our assessment is correct? Specifically, we want
> to ensure that in the absence of a declared Socket Appender, the risk of
> exploitation is mitigated.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
