Re: [PR] Update VEX file with false positives [solr-site]

Fri, 24 Apr 2026 01:05:16 -0700 


ppkarwasz commented on code in PR #173:
URL: https://github.com/apache/solr-site/pull/173#discussion_r3136312568


##########
vex-input.json:
##########
@@ -495,5 +495,69 @@
       "state": "not_affected",
       "detail": "The only places we use json-path is for querying (via 
Calcite) and for transforming/indexing custom JSON. Since the advisory 
describes a problem that is limited to the current thread, and users that are 
allowed to query/transform/index are already trusted to cause load to some 
extent, this advisory does not appear to have impact on the way json-path is 
used in Solr."
     }
+  },
+  {
+    "ids": [
+      "CVE-2026-34480",
+      "CVE-2026-34478",
+      "CVE-2026-34477",
+      "CVE-2026-34479",
+      "CVE-2026-34481"
+    ],
+    "versions": "10.0.0",
+    "jars": [
+      "log4j-core-2.25.3.jar",
+      "log4j-1.2-api-2.25.3.jar",
+      "log4j-layout-template-json-2.25.3.jar"
+    ],
+    "analysis": {
+      "state": "not_affected",
+      "justification": "requires_configuration",
+      "detail": "All five CVEs require non-default Log4j layout or appender 
configurations that Solr does not use. CVE-2026-34480 affects XmlLayout (Solr 
uses PatternLayout). CVE-2026-34478 affects Rfc5424Layout with TCP/TLS syslog 
framing (Solr does not configure a SyslogAppender with TCP framing). 
CVE-2026-34477 is an incomplete fix for SSL hostname verification in 
SMTP/Socket/Syslog appenders — Solr does not configure these appenders with 
TLS. CVE-2026-34479 affects Log4j1XmlLayout in the 1.x bridge (Solr does not 
use Log4j 1.x XML layout). CVE-2026-34481 affects JsonTemplateLayout when 
logging MapMessage with attacker-controlled floating-point values — Solr does 
not use JsonTemplateLayout. Solr's default log configuration uses PatternLayout 
and does not include any of the affected appender/layout types."

Review Comment:
   Confirmed: these vulnerabilities impact a very small number of users and 
Solr is **not** one of them.
   
   I will run the VEX Generator for the remaining ones in the weekend, but the 
explanations look plausible.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to