Re: Solr dependencies with security issues (CVEs)

2019-01-25 Thread Andreas Hubold 

Thank you, that Wiki page helps a lot.

Andreas

Jan Høydahl schrieb am 24.01.19 um 13:28:

Please see 
https://wiki.apache.org/solr/SolrSecurity#Solr_and_Vulnerability_Scanning_Tools 

 for a list of CVEs that do NOT affect Solr.

As that page states, if you believe that one of the CVEs are really exploitable in 
Solr, then please attempt to describe why you believe Solr is vulnerable, and send a 
report to secur...@apache.org  and/or file a 
private JIRA issue. Do not explain a new vulnerability on open mailing lists.

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com


24. jan. 2019 kl. 13:10 skrev Andreas Hubold :

Hi,

in our project, we're checking JAR dependencies with the OWASP dependency check 
[1] for security issues for which CVEs have been reported.

There are CVEs for some of Solr's third-party dependencies in version 7.6.0, 
and I wonder if you have plans to update these to unaffected versions. I don't 
know if these CVEs affect Solr, but event if they don't, IMHO it would be good 
to update them so that users don't need to analyze the reports in detail.

This is what I found for solr-core Maven dependencies:

* protobuf-java-3.1.0.jar https://nvd.nist.gov/vuln/detail/CVE-2015-5237 (fixed 
since protobuf 3.4)
* dom4j-1.6.1.jar https://nvd.nist.gov/vuln/detail/CVE-2018-1000632 (fixed in 
dom4j 2.1.1)
* hadoop-hdfs-2.7.4.jar https://nvd.nist.gov/vuln/detail/CVE-2017-15718 (fixed 
in hadoop 2.7.5)

What do you think?

Thanks,
Andreas

[1] https://www.owasp.org/index.php/OWASP_Dependency_Check

Re: Solr dependencies with security issues (CVEs)

2019-01-24 Thread Jan Høydahl 
Please see 
https://wiki.apache.org/solr/SolrSecurity#Solr_and_Vulnerability_Scanning_Tools 

 for a list of CVEs that do NOT affect Solr.

As that page states, if you believe that one of the CVEs are really exploitable 
in Solr, then please attempt to describe why you believe Solr is vulnerable, 
and send a report to secur...@apache.org  and/or 
file a private JIRA issue. Do not explain a new vulnerability on open mailing 
lists.

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

> 24. jan. 2019 kl. 13:10 skrev Andreas Hubold :
> 
> Hi,
> 
> in our project, we're checking JAR dependencies with the OWASP dependency 
> check [1] for security issues for which CVEs have been reported.
> 
> There are CVEs for some of Solr's third-party dependencies in version 7.6.0, 
> and I wonder if you have plans to update these to unaffected versions. I 
> don't know if these CVEs affect Solr, but event if they don't, IMHO it would 
> be good to update them so that users don't need to analyze the reports in 
> detail.
> 
> This is what I found for solr-core Maven dependencies:
> 
> * protobuf-java-3.1.0.jar https://nvd.nist.gov/vuln/detail/CVE-2015-5237 
> (fixed since protobuf 3.4)
> * dom4j-1.6.1.jar https://nvd.nist.gov/vuln/detail/CVE-2018-1000632 (fixed in 
> dom4j 2.1.1)
> * hadoop-hdfs-2.7.4.jar https://nvd.nist.gov/vuln/detail/CVE-2017-15718 
> (fixed in hadoop 2.7.5)
> 
> What do you think?
> 
> Thanks,
> Andreas
> 
> [1] https://www.owasp.org/index.php/OWASP_Dependency_Check
>

Solr dependencies with security issues (CVEs)

2019-01-24 Thread Andreas Hubold 

Hi,

in our project, we're checking JAR dependencies with the OWASP 
dependency check [1] for security issues for which CVEs have been reported.


There are CVEs for some of Solr's third-party dependencies in version 
7.6.0, and I wonder if you have plans to update these to unaffected 
versions. I don't know if these CVEs affect Solr, but event if they 
don't, IMHO it would be good to update them so that users don't need to 
analyze the reports in detail.


This is what I found for solr-core Maven dependencies:

* protobuf-java-3.1.0.jar https://nvd.nist.gov/vuln/detail/CVE-2015-5237 
(fixed since protobuf 3.4)
* dom4j-1.6.1.jar https://nvd.nist.gov/vuln/detail/CVE-2018-1000632 
(fixed in dom4j 2.1.1)
* hadoop-hdfs-2.7.4.jar https://nvd.nist.gov/vuln/detail/CVE-2017-15718 
(fixed in hadoop 2.7.5)


What do you think?

Thanks,
Andreas

[1] https://www.owasp.org/index.php/OWASP_Dependency_Check