[jira] [Commented] (SOLR-15855) CVEs in shadowed dependencies

Wed, 22 Dec 2021 14:12:18 -0800 


    [ 
https://issues.apache.org/jira/browse/SOLR-15855?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17464111#comment-17464111
 ] 

Chris Adams commented on SOLR-15855:
------------------------------------

{quote}I made this issue "public" because private issues are for discussing 
non-public information.
{quote}
Thanks — I figured that would be the case but it wasn't my call.

I proposed a change for 8.11 in 
[https://github.com/docker-solr/docker-solr/pull/405] but was thinking more 
about the long-term plan for managing dependencies. One concern I have is that 
even if something is not exploitable in the default configuration, an 
increasing fraction of users are going to have security policies which will 
demand updates just in case.

 

> CVEs in shadowed dependencies
> -----------------------------
>
>                 Key: SOLR-15855
>                 URL: https://issues.apache.org/jira/browse/SOLR-15855
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: 8.11.1
>            Reporter: Chris Adams
>            Priority: Major
>
> Our Solr deployments had a number of CVEs flagged due to shadowed 
> dependencies in some non-core components:
>  *  htrace-core4 pulls in jackson-databind, and hasn't been updated in many 
> years since the project shut down around 2016. This leaves around 50 critical 
> CVEs — although it's not clear whether any of these are actually exploitable 
> in the Solr configuration it will generate a lot of noise for Solr users in 
> security-conscious environments.
> This doesn't appear to be a hard dependency for Solr in normal use but I see 
> that the HBase project has a plan to replace it with a shim: 
> https://issues.apache.org/jira/browse/HBASE-24802
>  * The test framework pulls in junit4-ant which has an old simple-xml 
> vulnerable to 
> [CVE-2017-1000190|https://nvd.nist.gov/vuln/detail/CVE-2017-1000190]: 
> /opt/solr-8.11.1/dist/test-framework/lib/junit4-ant-2.7.2.jar



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Reply via email to