hossman commented on PR #3731: URL: https://github.com/apache/solr/pull/3731#issuecomment-3387070301
### Congratulations! This PR enabled the success of a third-party supply chain attack against the Solr code base! Fortunately the "attacker" in this situation appears to have been well meaning: A software dev attempting to **replace** the jar files of the `25.10.0` release of their software _they had already published_... ``` hossman@slate:~/lucene/solr [j21] [195917484f6] $ git rev-parse HEAD 195917484f6331da361e9a03af336b0bcbef1010 hossman@slate:~/lucene/solr [j21] [195917484f6] $ grep '.' solr/licenses/cuvs*jar* solr/licenses/cuvs-java-25.10.0.jar.sha1:61f3a3ce565a659d296775a7b06fc20dabccee41 solr/licenses/cuvs-lucene-25.10.0.jar.sha1:b5a458458255bfdfa6688a571b5bee032428f2d4 ``` ...with "newer" jars that fixed a bug, _but did use a new version number_... ``` hossman@slate:~/lucene/solr [j21] [4cd4a8e016d] $ git rev-parse HEAD 4cd4a8e016d46ba5e46bbae0726f9194bdcaae44 hossman@slate:~/lucene/solr [j21] [4cd4a8e016d] $ grep '.' solr/licenses/cuvs*jar* solr/licenses/cuvs-java-25.10.0.jar.sha1:6c22acfbdbc7f3a4a78a2edea46124df872e9ea5 solr/licenses/cuvs-lucene-25.10.0.jar.sha1:28c49fd9f03aa25dccc75da517247c9bc46e64b8 ``` This PR circumvented the jar checksums we have in place precisely to detect supply chain injection type situations, by accepting the change w/o question. If the "attacker" had been more malicious, this PR would have been complicit in compromising the security of any Solr deployment that enabled the `cuvs` solr module in a future Solr release ---- **_We clearly need to be more diligent in how we handle third-party jar checksum failures._** -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
