Solr dependencies with security issues (CVEs)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Solr dependencies with security issues (CVEs)

ahubold
Hi,

in our project, we're checking JAR dependencies with the OWASP
dependency check [1] for security issues for which CVEs have been reported.

There are CVEs for some of Solr's third-party dependencies in version
7.6.0, and I wonder if you have plans to update these to unaffected
versions. I don't know if these CVEs affect Solr, but event if they
don't, IMHO it would be good to update them so that users don't need to
analyze the reports in detail.

This is what I found for solr-core Maven dependencies:

* protobuf-java-3.1.0.jar https://nvd.nist.gov/vuln/detail/CVE-2015-5237 
(fixed since protobuf 3.4)
* dom4j-1.6.1.jar https://nvd.nist.gov/vuln/detail/CVE-2018-1000632 
(fixed in dom4j 2.1.1)
* hadoop-hdfs-2.7.4.jar https://nvd.nist.gov/vuln/detail/CVE-2017-15718 
(fixed in hadoop 2.7.5)

What do you think?

Thanks,
Andreas

[1] https://www.owasp.org/index.php/OWASP_Dependency_Check

Reply | Threaded
Open this post in threaded view
|

Re: Solr dependencies with security issues (CVEs)

Jan Høydahl / Cominvent
Please see https://wiki.apache.org/solr/SolrSecurity#Solr_and_Vulnerability_Scanning_Tools <https://wiki.apache.org/solr/SolrSecurity#Solr_and_Vulnerability_Scanning_Tools> for a list of CVEs that do NOT affect Solr.

As that page states, if you believe that one of the CVEs are really exploitable in Solr, then please attempt to describe why you believe Solr is vulnerable, and send a report to [hidden email] <mailto:[hidden email]> and/or file a private JIRA issue. Do not explain a new vulnerability on open mailing lists.

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

> 24. jan. 2019 kl. 13:10 skrev Andreas Hubold <[hidden email]>:
>
> Hi,
>
> in our project, we're checking JAR dependencies with the OWASP dependency check [1] for security issues for which CVEs have been reported.
>
> There are CVEs for some of Solr's third-party dependencies in version 7.6.0, and I wonder if you have plans to update these to unaffected versions. I don't know if these CVEs affect Solr, but event if they don't, IMHO it would be good to update them so that users don't need to analyze the reports in detail.
>
> This is what I found for solr-core Maven dependencies:
>
> * protobuf-java-3.1.0.jar https://nvd.nist.gov/vuln/detail/CVE-2015-5237 (fixed since protobuf 3.4)
> * dom4j-1.6.1.jar https://nvd.nist.gov/vuln/detail/CVE-2018-1000632 (fixed in dom4j 2.1.1)
> * hadoop-hdfs-2.7.4.jar https://nvd.nist.gov/vuln/detail/CVE-2017-15718 (fixed in hadoop 2.7.5)
>
> What do you think?
>
> Thanks,
> Andreas
>
> [1] https://www.owasp.org/index.php/OWASP_Dependency_Check
>

Reply | Threaded
Open this post in threaded view
|

Re: Solr dependencies with security issues (CVEs)

ahubold
Thank you, that Wiki page helps a lot.

Andreas

Jan Høydahl schrieb am 24.01.19 um 13:28:

> Please see https://wiki.apache.org/solr/SolrSecurity#Solr_and_Vulnerability_Scanning_Tools <https://wiki.apache.org/solr/SolrSecurity#Solr_and_Vulnerability_Scanning_Tools> for a list of CVEs that do NOT affect Solr.
>
> As that page states, if you believe that one of the CVEs are really exploitable in Solr, then please attempt to describe why you believe Solr is vulnerable, and send a report to [hidden email] <mailto:[hidden email]> and/or file a private JIRA issue. Do not explain a new vulnerability on open mailing lists.
>
> --
> Jan Høydahl, search solution architect
> Cominvent AS - www.cominvent.com
>
>> 24. jan. 2019 kl. 13:10 skrev Andreas Hubold <[hidden email]>:
>>
>> Hi,
>>
>> in our project, we're checking JAR dependencies with the OWASP dependency check [1] for security issues for which CVEs have been reported.
>>
>> There are CVEs for some of Solr's third-party dependencies in version 7.6.0, and I wonder if you have plans to update these to unaffected versions. I don't know if these CVEs affect Solr, but event if they don't, IMHO it would be good to update them so that users don't need to analyze the reports in detail.
>>
>> This is what I found for solr-core Maven dependencies:
>>
>> * protobuf-java-3.1.0.jar https://nvd.nist.gov/vuln/detail/CVE-2015-5237 (fixed since protobuf 3.4)
>> * dom4j-1.6.1.jar https://nvd.nist.gov/vuln/detail/CVE-2018-1000632 (fixed in dom4j 2.1.1)
>> * hadoop-hdfs-2.7.4.jar https://nvd.nist.gov/vuln/detail/CVE-2017-15718 (fixed in hadoop 2.7.5)
>>
>> What do you think?
>>
>> Thanks,
>> Andreas
>>
>> [1] https://www.owasp.org/index.php/OWASP_Dependency_Check
>>
>