If you suspect a new vulnerability in the product, please report as detailed on
our security page:
https://lucene.apache.org/solr/security.html
For these existing ones, you may first check whether upgrades are already done
in 8.5 or 8.6, and if not,
check if there is an open JIRA issue about
You’re absolutely right. Some of these are shadow jars and sone directly
used. Like netty, we're securing the communication using tls and the netty
cve applies.
So going back to the initial question, what would be the best way to
report this, so that it can be looked at?
On Fri, Jul 24, 2020 at
On 7/24/2020 2:35 PM, Man with No Name wrote:
This version of jackson is pulled in as a shadow jar. Also solr is using
io.netty version 4.1.29.Final which has critical vulnerabilities which
are fixed in 4.1.44.
It looks like that shaded jackson library is included in the jar for
htrace. I
docker pull solr:8.4.1-slim
docker run -it --rm solr:8.4.1-slim /bin/bash
solr@223042112be5:/opt/solr-8.4.1$ find ./ -name "*jackson*"
./server/solr-webapp/webapp/WEB-INF/lib/jackson-core-2.10.0.jar
./server/solr-webapp/webapp/WEB-INF/lib/jackson-annotations-2.10.0.jar
Any help on this.?
On Wed, Jul 22, 2020 at 4:25 PM Man with No Name
wrote:
> The image is pulled from docker hub. After scanning the image from docker
> hub, without any modification, this is the list of CVE we're getting.
>
>
> Image ID CVE Package
The image is pulled from docker hub. After scanning the image from docker
hub, without any modification, this is the list of CVE we're getting.
Image ID CVE Package
Version Severity
Status
Not sure where the Docker image came from, but according to:
https://issues.apache.org/jira/browse/SOLR-13818
Jackson was upgraded to 2.10.0 in Solr 8.4.
> On Jul 21, 2020, at 2:59 PM, Man with No Name
> wrote:
>
> Hey Guys,
> Our team is using Solr 8.4.1 in a kubernetes cluster using the
Hey Guys,
Our team is using Solr 8.4.1 in a kubernetes cluster using the public image
from docker hub. The containers before getting deployed to the cluster
get whitescanned and it lists all the CVEs in the container. This is list
of CVE we have for Solr
CVE-2020-11619, CVE-2020-11620,
