lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Hubold <andreas.hub...@coremedia.com>
Subject Re: Solr dependencies with security issues (CVEs)
Date Fri, 25 Jan 2019 08:25:54 GMT
Thank you, that Wiki page helps a lot.

Andreas

Jan H√łydahl schrieb am 24.01.19 um 13:28:
> Please see https://wiki.apache.org/solr/SolrSecurity#Solr_and_Vulnerability_Scanning_Tools
<https://wiki.apache.org/solr/SolrSecurity#Solr_and_Vulnerability_Scanning_Tools> for
a list of CVEs that do NOT affect Solr.
>
> As that page states, if you believe that one of the CVEs are really exploitable in Solr,
then please attempt to describe why you believe Solr is vulnerable, and send a report to security@apache.org
<mailto:security@apache.org> and/or file a private JIRA issue. Do not explain a new
vulnerability on open mailing lists.
>
> --
> Jan H√łydahl, search solution architect
> Cominvent AS - www.cominvent.com
>
>> 24. jan. 2019 kl. 13:10 skrev Andreas Hubold <andreas.hubold@coremedia.com>:
>>
>> Hi,
>>
>> in our project, we're checking JAR dependencies with the OWASP dependency check [1]
for security issues for which CVEs have been reported.
>>
>> There are CVEs for some of Solr's third-party dependencies in version 7.6.0, and
I wonder if you have plans to update these to unaffected versions. I don't know if these CVEs
affect Solr, but event if they don't, IMHO it would be good to update them so that users don't
need to analyze the reports in detail.
>>
>> This is what I found for solr-core Maven dependencies:
>>
>> * protobuf-java-3.1.0.jar https://nvd.nist.gov/vuln/detail/CVE-2015-5237 (fixed since
protobuf 3.4)
>> * dom4j-1.6.1.jar https://nvd.nist.gov/vuln/detail/CVE-2018-1000632 (fixed in dom4j
2.1.1)
>> * hadoop-hdfs-2.7.4.jar https://nvd.nist.gov/vuln/detail/CVE-2017-15718 (fixed in
hadoop 2.7.5)
>>
>> What do you think?
>>
>> Thanks,
>> Andreas
>>
>> [1] https://www.owasp.org/index.php/OWASP_Dependency_Check
>>
>


Mime
View raw message