This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/solr-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new cc9d913cc Automatic Site Publish by Buildbot
cc9d913cc is described below
commit cc9d913ccec081ee844fcfe2e2ec6ec6b3f305b3
Author: buildbot <[email protected]>
AuthorDate: Wed Nov 23 05:15:28 2022 +0000
Automatic Site Publish by Buildbot
---
output/feeds/all.atom.xml | 23 ++++++++++++++++++++++-
output/feeds/misc.atom.xml | 23 +++++++++++++++++++++++
2 files changed, 45 insertions(+), 1 deletion(-)
diff --git a/output/feeds/all.atom.xml b/output/feeds/all.atom.xml
index 6183582ab..5e2af2d49 100644
--- a/output/feeds/all.atom.xml
+++ b/output/feeds/all.atom.xml
@@ -1,5 +1,26 @@
<?xml version="1.0" encoding="utf-8"?>
-<feed xmlns="http://www.w3.org/2005/Atom";><title>Apache Solr</title><link
href="/" rel="alternate"></link><link href="/feeds/all.atom.xml"
rel="self"></link><id>/</id><updated>2022-10-21T00:00:00+00:00</updated><subtitle></subtitle><subtitle></subtitle><entry><title>Java
17 bug affecting Solr</title><link href="/java-17-bug-affecting-solr.html"
rel="alternate"></link><published>2022-10-21T00:00:00+00:00</published><updated>2022-10-21T00:00:00+00:00</updated><author><name>Solr
Developers< [...]
+<feed xmlns="http://www.w3.org/2005/Atom";><title>Apache Solr</title><link
href="/" rel="alternate"></link><link href="/feeds/all.atom.xml"
rel="self"></link><id>/</id><updated>2022-11-20T00:00:00+00:00</updated><subtitle></subtitle><subtitle></subtitle><entry><title>Apache
Solr is vulnerable to CVE-2022-39135 via /sql handler</title><link
href="/apache-solr-is-vulnerable-to-cve-2022-39135-via-sql-handler.html"
rel="alternate"></link><published>2022-11-20T00:00:00+00:00</published><update
[...]
+Solr 6.5 to 8.11.2
+Solr 9.0</p>
+<p><strong>Description:</strong>
+Apache Calcite has a vulnerability, CVE-2022-39135, that is exploitable in
Apache Solr in SolrCloud mode. If an untrusted user can supply SQL queries to
Solr’s “/sql” handler (even indirectly via proxies / other apps), then the user
…</p></summary><content type="html"><p><strong>Versions
Affected:</strong>
+Solr 6.5 to 8.11.2
+Solr 9.0</p>
+<p><strong>Description:</strong>
+Apache Calcite has a vulnerability, CVE-2022-39135, that is exploitable in
Apache Solr in SolrCloud mode. If an untrusted user can supply SQL queries to
Solr’s “/sql” handler (even indirectly via proxies / other apps), then the user
could perform an XML External Entity (XXE) attack. This might have been
exposed by some deployers of Solr in order for internal analysts to use JDBC
based tooling, but would have unlikely been granted to wider
audiences.</p>
+<p><strong>Impact:</strong>
+An XXE attack may lead to the disclosure of confidential data, denial of
service, server side request forgery (SSRF), port scanning from the Solr node,
and other system impacts.</p>
+<p><strong>Mitigation:</strong>
+Most Solr installations don’t make use of the SQL functionality. For such
users, the standard Solr security advice of using a firewall should be
adequate. Nonetheless, the functionality can be disabled. As of Solr 9, it
has been modularized and thus became opt-in, so nothing is needed for Solr 9
users that don’t use it. Users <em>not</em> using SolrCloud can’t
use the functionality at all. For other users that wish to disable it, you
must register a request handler that [...]
+<div
class="codehilite"><pre><span></span><code><span
class="err"> &lt;requestHandler name=&quot;/sql&quot;
class=&quot;solr.NotFoundRequestHandler&quot;/&gt;</span>
+</code></pre></div>
+
+<p>Users needing this SQL functionality are forced to upgrade to Solr
9.1. If Solr 8.11.3 is released, then it will be an option as well. Simply
replacing Calcite and other JAR files may mostly work but could fail depending
on the particulars of the query. Users interested in this or in patching their
own versions of Solr should examine SOLR-16421 for a source patch.</p>
+<p><strong>Credit:</strong>
+Andreas Hubold at CoreMedia GmbH</p>
+<p><strong>References:</strong>
+https://nvd.nist.gov/vuln/detail/CVE-2022-39135
+https://issues.apache.org/jira/browse/SOLR-16421</p></content><category
term="misc"></category></entry><entry><title>Java 17 bug affecting
Solr</title><link href="/java-17-bug-affecting-solr.html"
rel="alternate"></link><published>2022-10-21T00:00:00+00:00</published><updated>2022-10-21T00:00:00+00:00</updated><author><name>Solr
Developers</name></author><id>tag:None,2022-10-21:/java-17-bug-affecting-solr.html</id><summary
type="html"><p>Several users running Solr in producti [...]
<p>Known mitigations are to either downgrade to JDK 11 or to start Solr
with a Java startup flag that avoids the failure …</p></summary><content
type="html"><p>Several users running Solr in production on OpenJDK 17
have experienced JVM crashes due to a known bug in the JDK. Read more about the
bug in <a
href="https://issues.apache.org/jira/browse/SOLR-16463">SOLR-16463</a>.</p>
<p>Known mitigations are to either downgrade to JDK 11 or to start Solr
with a Java startup flag that avoids the failure condition. Here is how to
manually apply the flag:</p>
<p>Edit your <code>solr.in.sh</code> or
<code>solr.in.cmd</code> file to set the
<code>SOLR_OPTS</code> environment variable as follows:</p>
diff --git a/output/feeds/misc.atom.xml b/output/feeds/misc.atom.xml
new file mode 100644
index 000000000..d67663825
--- /dev/null
+++ b/output/feeds/misc.atom.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="utf-8"?>
+<feed xmlns="http://www.w3.org/2005/Atom";><title>Apache Solr -
misc</title><link href="/" rel="alternate"></link><link
href="/feeds/misc.atom.xml"
rel="self"></link><id>/</id><updated>2022-11-20T00:00:00+00:00</updated><subtitle></subtitle><subtitle></subtitle><entry><title>Apache
Solr is vulnerable to CVE-2022-39135 via /sql handler</title><link
href="/apache-solr-is-vulnerable-to-cve-2022-39135-via-sql-handler.html"
rel="alternate"></link><published>2022-11-20T00:00:00+00:00</published [...]
+Solr 6.5 to 8.11.2
+Solr 9.0</p>
+<p><strong>Description:</strong>
+Apache Calcite has a vulnerability, CVE-2022-39135, that is exploitable in
Apache Solr in SolrCloud mode. If an untrusted user can supply SQL queries to
Solr’s “/sql” handler (even indirectly via proxies / other apps), then the user
…</p></summary><content type="html"><p><strong>Versions
Affected:</strong>
+Solr 6.5 to 8.11.2
+Solr 9.0</p>
+<p><strong>Description:</strong>
+Apache Calcite has a vulnerability, CVE-2022-39135, that is exploitable in
Apache Solr in SolrCloud mode. If an untrusted user can supply SQL queries to
Solr’s “/sql” handler (even indirectly via proxies / other apps), then the user
could perform an XML External Entity (XXE) attack. This might have been
exposed by some deployers of Solr in order for internal analysts to use JDBC
based tooling, but would have unlikely been granted to wider
audiences.</p>
+<p><strong>Impact:</strong>
+An XXE attack may lead to the disclosure of confidential data, denial of
service, server side request forgery (SSRF), port scanning from the Solr node,
and other system impacts.</p>
+<p><strong>Mitigation:</strong>
+Most Solr installations don’t make use of the SQL functionality. For such
users, the standard Solr security advice of using a firewall should be
adequate. Nonetheless, the functionality can be disabled. As of Solr 9, it
has been modularized and thus became opt-in, so nothing is needed for Solr 9
users that don’t use it. Users <em>not</em> using SolrCloud can’t
use the functionality at all. For other users that wish to disable it, you
must register a request handler that [...]
+<div
class="codehilite"><pre><span></span><code><span
class="err"> &lt;requestHandler name=&quot;/sql&quot;
class=&quot;solr.NotFoundRequestHandler&quot;/&gt;</span>
+</code></pre></div>
+
+<p>Users needing this SQL functionality are forced to upgrade to Solr
9.1. If Solr 8.11.3 is released, then it will be an option as well. Simply
replacing Calcite and other JAR files may mostly work but could fail depending
on the particulars of the query. Users interested in this or in patching their
own versions of Solr should examine SOLR-16421 for a source patch.</p>
+<p><strong>Credit:</strong>
+Andreas Hubold at CoreMedia GmbH</p>
+<p><strong>References:</strong>
+https://nvd.nist.gov/vuln/detail/CVE-2022-39135
+https://issues.apache.org/jira/browse/SOLR-16421</p></content><category
term="misc"></category></entry></feed>
\ No newline at end of file
