[jira] [Commented] (SOLR-15850) Fix SOLR-Versions to CVE-2021-44228

Wed, 15 Dec 2021 00:22:13 -0800 


    [ 
https://issues.apache.org/jira/browse/SOLR-15850?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459726#comment-17459726
 ] 

Jan Høydahl commented on SOLR-15850:
------------------------------------

If you are on v7.5, you can get a patched Docker image by pulling 7.7 instead. 
Only the latest 7.x, 6.x, 5.x versions are supported, as can be seen on 
[https://hub.docker.com/_/solr] under the "Supported tags" section. Version 7.7 
is index- and API compatible with 7.5 and no features are removed, even if some 
features are added. So this should normally be a drop-in replacement, i.e. just 
change the tag and restart container.

I filed [https://github.com/apache/solr-site/pull/57] to clarify this in our 
security advisory.

> Fix SOLR-Versions to CVE-2021-44228
> -----------------------------------
>
>                 Key: SOLR-15850
>                 URL: https://issues.apache.org/jira/browse/SOLR-15850
>             Project: Solr
>          Issue Type: Task
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: 7.5
>            Reporter: IIS
>            Assignee: Jan Høydahl
>            Priority: Critical
>
> As we are faced with critical 
> [CVE-2021-44228|https://github.com/advisories/GHSA-jfh8-c2jp-5v3q] 
> (log4shell) these days, we still await security patches to fix log4j 
> vulnerabilities published on December 12th, 2021.
>  
> In our  case we're running Apache SOLR via Docker, where some image versions 
> have been patched very quickly, but still some image versions float around in 
> the official Docker Hub without having recieved the critical security patches.
>  
> e.g. v7.5.0:
> [https://hub.docker.com/layers/solr/library/solr/7.5.0/images/sha256-e3db40fa85e7115d2d1d3eb06f7555b6132e33bd3b6e91b17c0a1690122a7acc?context=explore]
>  
> When will these versions be updated in the Docker Repository to prevent users 
> from being vulnerable with specific SOLR installations running?



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Reply via email to