Vulnerabilities in SOLR 8.6.2

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Vulnerabilities in SOLR 8.6.2

Narayanan, Lakshmi

Hello Solr-User Support team

We have installed the SOLR 8.6.2 package into docker container in our DEV environment. Prior to using it, our security team scanned the docker image using SysDig and found a lot of Critical/High/Medium vulnerabilities. The full list is in the attached spreadsheet

 

Scan Summary

30 STOPS     190 WARNS    188 Vulnerabilities

 

Please advise or point us to how/where to get a package that has been patched for the Critical/High/Medium vulnerabilities in the attached spreadsheet

Your help will be gratefully received

 

 

Lakshmi Narayanan

Marsh & McLennan Companies

121 River Street, Hoboken,NJ-07030

201-284-3345

M: 845-300-3809

Email: [hidden email]

 

 





**********************************************************************
This e-mail, including any attachments that accompany it, may contain
information that is confidential or privileged. This e-mail is
intended solely for the use of the individual(s) to whom it was intended to be
addressed. If you have received this e-mail and are not an intended recipient,
any disclosure, distribution, copying or other use or
retention of this email or information contained within it are prohibited.
If you have received this email in error, please immediately
reply to the sender via e-mail and also permanently
delete all copies of the original message together with any of its attachments
from your computer or device.
**********************************************************************

SOLR862 Vulnerabilities.xlsx (22K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Vulnerabilities in SOLR 8.6.2

Cassandra Targett
Solr follows the ASF policy for reporting vulnerabilities, described in this page on our website: https://lucene.apache.org/solr/security.html. This page also lists known vulnerabilities that have been addressed, with their mitigation steps.

Scanning tools are commonly full of false positives so for this reason the community does not accept the unfiltered scanner output such as a spreadsheet as a vulnerability report.

We attempt to maintain a list of known false positives (also linked from the website) at: https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools. But in all honestly such a list is really hard to keep up with. Exact versions in your report may differ from what’s on the list, but usually the general conclusion that it’s not an exploitable issue remains. For example, our list notes a CVE for ‘dom4j-1.6.1.jar' is not an exploitable vulnerability because it is only used in tests. If a CVE comes out for ‘dom4j-1.7.3.jar’ (if such a version exists), the fact remains that the dependency is only used in tests and is still not exploitable in a production system.

If you do find a real vulnerability you are concerned about, ASF policy is for you to privately report it to the community so it can be addressed before hackers have a chance to attempt to exploit user systems. How to do that is also described in the Security page in our website linked above.

-Cassandra
On Sep 28, 2020, 2:07 PM -0500, Narayanan, Lakshmi <[hidden email]>, wrote:

> Hello Solr-User Support team
> We have installed the SOLR 8.6.2 package into docker container in our DEV environment. Prior to using it, our security team scanned the docker image using SysDig and found a lot of Critical/High/Medium vulnerabilities. The full list is in the attached spreadsheet
>
> Scan Summary
> 30 STOPS     190 WARNS    188 Vulnerabilities
>
> Please advise or point us to how/where to get a package that has been patched for the Critical/High/Medium vulnerabilities in the attached spreadsheet
> Your help will be gratefully received
>
>
> Lakshmi Narayanan
> Marsh & McLennan Companies
> 121 River Street, Hoboken,NJ-07030
> 201-284-3345
> M: 845-300-3809
> Email: [hidden email]
>
>
>
>
>
> **********************************************************************
> This e-mail, including any attachments that accompany it, may contain
> information that is confidential or privileged. This e-mail is
> intended solely for the use of the individual(s) to whom it was intended to be
> addressed. If you have received this e-mail and are not an intended recipient,
> any disclosure, distribution, copying or other use or
> retention of this email or information contained within it are prohibited.
> If you have received this email in error, please immediately
> reply to the sender via e-mail and also permanently
> delete all copies of the original message together with any of its attachments
> from your computer or device.
> **********************************************************************
Reply | Threaded
Open this post in threaded view
|

FW: Vulnerabilities in SOLR 8.6.2

Narayanan, Lakshmi
In reply to this post by Narayanan, Lakshmi

This is my 5th attempt in the last 60 days

Is there anyone looking at these mails?

Does anyone care?? L

 

 

Lakshmi Narayanan

Marsh & McLennan Companies

121 River Street, Hoboken,NJ-07030

201-284-3345

M: 845-300-3809

Email: [hidden email]

 

 

From: Narayanan, Lakshmi <[hidden email]>
Sent: Thursday, October 22, 2020 1:06 PM
To: [hidden email]
Subject: FW: Vulnerabilities in SOLR 8.6.2

 

This is my 4th attempt to contact

Please advise, if there is a build that fixes these vulnerabilities

 

Lakshmi Narayanan

Marsh & McLennan Companies

121 River Street, Hoboken,NJ-07030

201-284-3345

M: 845-300-3809

Email: [hidden email]

 

 

From: Narayanan, Lakshmi <[hidden email]>
Sent: Sunday, October 18, 2020 4:01 PM
To: [hidden email]
Subject: FW: Vulnerabilities in SOLR 8.6.2

 

SOLR-User Support team

Is there anyone who can answer my question or can point to someone who can help

I have not had any response for the past 3 weeks !?

Please advise

 

 

Lakshmi Narayanan

Marsh & McLennan Companies

121 River Street, Hoboken,NJ-07030

201-284-3345

M: 845-300-3809

Email: [hidden email]

 

 

From: Narayanan, Lakshmi <[hidden email]>
Sent: Sunday, October 04, 2020 2:11 PM
To: [hidden email]
Cc: Chattopadhyay, Salil <[hidden email]>; Mutnuri, Vishnu D <[hidden email]>; Pathak, Omkar <[hidden email]>; Shenouda, Nasir B <[hidden email]>
Subject: RE: Vulnerabilities in SOLR 8.6.2

 

Hello Solr-User Support team

Please advise or provide further guidance on the request below

 

Thank you!

 

Lakshmi Narayanan

Marsh & McLennan Companies

121 River Street, Hoboken,NJ-07030

201-284-3345

M: 845-300-3809

Email: [hidden email]

 

 

From: Narayanan, Lakshmi <[hidden email]>
Sent: Monday, September 28, 2020 1:52 PM
To: [hidden email]
Cc: Chattopadhyay, Salil <[hidden email]>; Mutnuri, Vishnu D <[hidden email]>; Pathak, Omkar <[hidden email]>; Shenouda, Nasir B <[hidden email]>
Subject: Vulnerabilities in SOLR 8.6.2
Importance: High

 

Hello Solr-User Support team

We have installed the SOLR 8.6.2 package into docker container in our DEV environment. Prior to using it, our security team scanned the docker image using SysDig and found a lot of Critical/High/Medium vulnerabilities. The full list is in the attached spreadsheet

 

Scan Summary

30 STOPS     190 WARNS    188 Vulnerabilities

 

Please advise or point us to how/where to get a package that has been patched for the Critical/High/Medium vulnerabilities in the attached spreadsheet

Your help will be gratefully received

 

 

Lakshmi Narayanan

Marsh & McLennan Companies

121 River Street, Hoboken,NJ-07030

201-284-3345

M: 845-300-3809

Email: [hidden email]

 

 





**********************************************************************
This e-mail, including any attachments that accompany it, may contain
information that is confidential or privileged. This e-mail is
intended solely for the use of the individual(s) to whom it was intended to be
addressed. If you have received this e-mail and are not an intended recipient,
any disclosure, distribution, copying or other use or
retention of this email or information contained within it are prohibited.
If you have received this email in error, please immediately
reply to the sender via e-mail and also permanently
delete all copies of the original message together with any of its attachments
from your computer or device.
**********************************************************************

SOLR862 Vulnerabilities.xlsx (22K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: FW: Vulnerabilities in SOLR 8.6.2

Kevin Risden-3
As far as I can tell only your first and 5th emails went through. Either
way, Cassandra responded on 20200929 - ~15 hrs after your first message:

http://mail-archives.apache.org/mod_mbox/lucene-solr-user/202009.mbox/%3Cbe447e96-60ed-4a40-88dd-9e0c28be6c71%40Spark%3E

Kevin Risden


On Fri, Nov 13, 2020 at 11:35 AM Narayanan, Lakshmi
<[hidden email]> wrote:

> This is my 5th attempt in the last 60 days
>
> Is there anyone looking at these mails?
>
> Does anyone care?? L
>
>
>
>
>
> Lakshmi Narayanan
>
> Marsh & McLennan Companies
>
> 121 River Street, Hoboken,NJ-07030
>
> 201-284-3345
>
> M: 845-300-3809
>
> Email: [hidden email]
>
>
>
>
>
> *From:* Narayanan, Lakshmi <[hidden email]>
> *Sent:* Thursday, October 22, 2020 1:06 PM
> *To:* [hidden email]
> *Subject:* FW: Vulnerabilities in SOLR 8.6.2
>
>
>
> This is my 4th attempt to contact
>
> Please advise, if there is a build that fixes these vulnerabilities
>
>
>
> Lakshmi Narayanan
>
> Marsh & McLennan Companies
>
> 121 River Street, Hoboken,NJ-07030
>
> 201-284-3345
>
> M: 845-300-3809
>
> Email: [hidden email]
>
>
>
>
>
> *From:* Narayanan, Lakshmi <[hidden email]>
> *Sent:* Sunday, October 18, 2020 4:01 PM
> *To:* [hidden email]
> *Subject:* FW: Vulnerabilities in SOLR 8.6.2
>
>
>
> SOLR-User Support team
>
> Is there anyone who can answer my question or can point to someone who can
> help
>
> I have not had any response for the past 3 weeks !?
>
> Please advise
>
>
>
>
>
> Lakshmi Narayanan
>
> Marsh & McLennan Companies
>
> 121 River Street, Hoboken,NJ-07030
>
> 201-284-3345
>
> M: 845-300-3809
>
> Email: [hidden email]
>
>
>
>
>
> *From:* Narayanan, Lakshmi <[hidden email]>
> *Sent:* Sunday, October 04, 2020 2:11 PM
> *To:* [hidden email]
> *Cc:* Chattopadhyay, Salil <[hidden email]>; Mutnuri, Vishnu
> D <[hidden email]>; Pathak, Omkar <[hidden email]>;
> Shenouda, Nasir B <[hidden email]>
> *Subject:* RE: Vulnerabilities in SOLR 8.6.2
>
>
>
> Hello Solr-User Support team
>
> Please advise or provide further guidance on the request below
>
>
>
> Thank you!
>
>
>
> Lakshmi Narayanan
>
> Marsh & McLennan Companies
>
> 121 River Street, Hoboken,NJ-07030
>
> 201-284-3345
>
> M: 845-300-3809
>
> Email: [hidden email]
>
>
>
>
>
> *From:* Narayanan, Lakshmi <[hidden email]>
> *Sent:* Monday, September 28, 2020 1:52 PM
> *To:* [hidden email]
> *Cc:* Chattopadhyay, Salil <[hidden email]>; Mutnuri, Vishnu
> D <[hidden email]>; Pathak, Omkar <[hidden email]>;
> Shenouda, Nasir B <[hidden email]>
> *Subject:* Vulnerabilities in SOLR 8.6.2
> *Importance:* High
>
>
>
> Hello Solr-User Support team
>
> We have installed the SOLR 8.6.2 package into docker container in our DEV
> environment. Prior to using it, our security team scanned the docker image
> using SysDig and found a lot of Critical/High/Medium vulnerabilities. The
> full list is in the attached spreadsheet
>
>
>
> Scan Summary
>
> *30* *STOPS     **190* *WARNS    **188* *Vulnerabilities*
>
>
>
> Please advise or point us to how/where to get a package that has been
> patched for the Critical/High/Medium vulnerabilities in the attached
> spreadsheet
>
> Your help will be gratefully received
>
>
>
>
>
> Lakshmi Narayanan
>
> Marsh & McLennan Companies
>
> 121 River Street, Hoboken,NJ-07030
>
> 201-284-3345
>
> M: 845-300-3809
>
> Email: [hidden email]
>
>
>
>
>
> ------------------------------
>
>
> **********************************************************************
> This e-mail, including any attachments that accompany it, may contain
> information that is confidential or privileged. This e-mail is
> intended solely for the use of the individual(s) to whom it was intended
> to be
> addressed. If you have received this e-mail and are not an intended
> recipient,
> any disclosure, distribution, copying or other use or
> retention of this email or information contained within it are prohibited.
> If you have received this email in error, please immediately
> reply to the sender via e-mail and also permanently
> delete all copies of the original message together with any of its
> attachments
> from your computer or device.
> **********************************************************************
>