The image is pulled from docker hub. After scanning the image from docker
hub, without any modification, this is the list of CVE we're getting.
Image ID CVE Package
Version Severity
Status CVSS
----- -- --- -------
------- --------
------ ----
solr:8.4.1-slim 57561b4889690532 CVE-2019-16335
com.fasterxml.jackson.core_jackson-databind 2.4.0
critical fixed in 2.9.10 9.8
solr:8.4.1-slim 57561b4889690532 CVE-2020-8840
com.fasterxml.jackson.core_jackson-databind 2.4.0
critical 9.8
solr:8.4.1-slim 57561b4889690532 CVE-2020-11620
com.fasterxml.jackson.core_jackson-databind 2.4.0
critical fixed in 2.9.10.4 9.8
solr:8.4.1-slim 57561b4889690532 CVE-2020-9546
com.fasterxml.jackson.core_jackson-databind 2.4.0
critical fixed in 2.9.10.4 9.8
solr:8.4.1-slim 57561b4889690532 CVE-2020-9547
com.fasterxml.jackson.core_jackson-databind 2.4.0
critical fixed in 2.9.10.4 9.8
solr:8.4.1-slim 57561b4889690532 CVE-2019-20445
io.netty_netty-codec 4.1.29.Final
critical fixed in 4.1.44 9.1
solr:8.4.1-slim 57561b4889690532 CVE-2020-9548
com.fasterxml.jackson.core_jackson-databind 2.4.0
critical fixed in 2.9.10.4 9.8
solr:8.4.1-slim 57561b4889690532 CVE-2017-15095
com.fasterxml.jackson.core_jackson-databind 2.4.0
critical fixed in 2.9.1, 2.8.10 9.8
solr:8.4.1-slim 57561b4889690532 CVE-2018-14718
com.fasterxml.jackson.core_jackson-databind 2.4.0
critical fixed in 2.9.7 9.8
solr:8.4.1-slim 57561b4889690532 CVE-2019-16942
com.fasterxml.jackson.core_jackson-databind 2.4.0
critical 9.8
solr:8.4.1-slim 57561b4889690532 CVE-2019-14893
com.fasterxml.jackson.core_jackson-databind 2.4.0
critical fixed in 2.10.0, 2.9.10 9.8
solr:8.4.1-slim 57561b4889690532 CVE-2018-7489
com.fasterxml.jackson.core_jackson-databind 2.4.0
critical fixed in 2.9.5, 2.8.11.1, 2.7.9.3 9.8
solr:8.4.1-slim 57561b4889690532 CVE-2019-20444
io.netty_netty-codec 4.1.29.Final
critical fixed in 4.1.44 9.1
solr:8.4.1-slim 57561b4889690532 CVE-2019-14540
com.fasterxml.jackson.core_jackson-databind 2.4.0
critical fixed in 2.9.10 9.8
solr:8.4.1-slim 57561b4889690532 CVE-2019-16943
com.fasterxml.jackson.core_jackson-databind 2.4.0
critical 9.8
solr:8.4.1-slim 57561b4889690532 CVE-2020-11612
io.netty_netty-codec 4.1.29.Final
critical fixed in 4.1.46 9.8
solr:8.4.1-slim 57561b4889690532 CVE-2019-20330
com.fasterxml.jackson.core_jackson-databind 2.4.0
critical fixed in 2.9.10.2 9.8
solr:8.4.1-slim 57561b4889690532 CVE-2019-17267
com.fasterxml.jackson.core_jackson-databind 2.4.0
critical fixed in 2.9.10 9.8
On Tue, Jul 21, 2020 at 5:06 PM Erick Erickson <erickerick...@gmail.com>
wrote:
> Not sure where the Docker image came from, but according to:
> https://issues.apache.org/jira/browse/SOLR-13818
>
> Jackson was upgraded to 2.10.0 in Solr 8.4.
>
> > On Jul 21, 2020, at 2:59 PM, Man with No Name <pinkeshsharm...@gmail.com>
> wrote:
> >
> > Hey Guys,
> > Our team is using Solr 8.4.1 in a kubernetes cluster using the public
> image
> > from docker hub. The containers before getting deployed to the cluster
> > get whitescanned and it lists all the CVEs in the container. This is list
> > of CVE we have for Solr
> >
> > CVE-2020-11619, CVE-2020-11620, CVE-2020-8840, CVE-2019-10088,
> > CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112,
> > CVE-2020-11113, CVE-2020-14060, CVE-2020-14061, CVE-2020-14062,
> > CVE-2020-14195, CVE-2019-10094, CVE-2019-12402
> >
> > Most of the CVEs are because of the old version of Jackson-databind, and
> it
> > has been fixed in the 2.9.10.4 version. So what would be the best way to
> > report this and to get it fixed?
> >
> >
> > CVE is a list of entries — each containing an identification number, a
> > description, and at least one public reference — for publicly known
> > cybersecurity vulnerabilities.
> >
> > --
> > Regards:
> > Pinkesh Sharma
>
>
--
Regards:
Pinkesh Sharma
