Hi all…. I was visiting a client today to talk about how we could improve our security posture in Solr. The team I am working with gets a lot of “Need to fix this” issues from the security team when they use their various automated scanners to look at Solr.
We all know that a set of vulnerabilities only apply in certain modes of deploying Solr…. For example: Windows versus Unix. Standalone versus Cloud. I believe that the VEX standard is how to document how a vulnerability is applied? Are we actively using VEX in our processes or is it still something being evaluated/figured out? I noticed that https://github.com/apache/solr-site/blob/main/vex-input.json hasn’t been updated in 9 months. Are there any JIRAs or other resources I should be looking at? Having ways to say “this isn’t actually a valid vulnerability for how we deploy Solr, and here is the proof” would be very valuable! Eric Disclaimer The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful. This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast, a leader in email security and cyber resilience. Mimecast integrates email defenses with brand protection, security awareness training, web security, compliance and other essential capabilities. Mimecast helps protect large and small organizations from malicious activity, human error and technology failure; and to lead the movement toward building a more resilient world. To find out more, visit our website.
