[
https://issues.apache.org/jira/browse/SOLR-15431?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17364484#comment-17364484
]
Timothy Potter commented on SOLR-15431:
---------------------------------------
Afaik, Solr's password checking code does not rely on this {{checkPassword}}
method (a quick grep didn't find any usages for me). We should still upgrade
the dependency, but this is not a vulnerability in Solr's authentication layer.
> High Security vulnerability with Bouncy Castle library within Apache Solr
> 8.8.2
> -------------------------------------------------------------------------------
>
> Key: SOLR-15431
> URL: https://issues.apache.org/jira/browse/SOLR-15431
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 8.8.2
> Reporter: WCM RnD
> Priority: Major
>
> High Security vulnerability has been reported for the Bouncy Castle library
> (*bcprov-jdk15on-1.65.jar*) that is bundled within Apache Solr 8.8.2
> h1. Vulnerability Details
> h2. CVE-2020-26939
> CVE-2020-28052
> *Affected Component(s):* Bouncy Castle BC Java 1.65 and 1.66.
> *Vulnerability Published:* Dec 17, 2020
> *Vulnerability Updated:* Apr 6, 2021
> *CVSS Score:* 8.1
> *Summary*: An issue was discovered in Legion of the Bouncy Castle BC Java
> 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared
> incorrect data when checking the password, allowing incorrect passwords to
> indicate they were matching with previously hashed ones that were different.
>
> Recommendation is to update to Bouncy Castle version 1.68.0
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
