Hi Christian,
So you already knew :)
Very glad to read your answer, the exploitation attempts are already showing up in the logs.
thanks, this helps a lot, Marc
On Mon, 13 Dec 2021, Christian GrĂ¼n wrote:
Hi Marc,
I was waiting for that question ;)
All fine, BaseX uses a custom logger, as well as Jetty does [1,2].
You may need to check your setup, though, if you use Tomcat as web server or any additional search index applications like Solr or Elasticsearch. ES is only susceptible to information leak, not remote code execution [3].
Hope this helps, Christian
[1] https://docs.basex.org/wiki/Logging [2] https://docs.huihoo.com/jetty/the-definitive-reference/configuring-logging.h... [3] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnera...
On Mon, Dec 13, 2021 at 4:11 PM Marc Coenegracht marc@crosseyed.nl wrote:
Does Basex (9.x or 8.x) use Log4j in any of its components? If not, should one still worry about the JRE?
Regards, Marc