Re: Cybersecurity Incident Report

Man with No Name Thu, 23 Jul 2020 20:23:25 -0700

Any help on this.?

On Wed, Jul 22, 2020 at 4:25 PM Man with No Name <pinkeshsharm...@gmail.com>
wrote:


> The image is pulled from docker hub. After scanning the image from docker
> hub, without any modification, this is the list of CVE we're getting.
>
>
> Image              ID                  CVE                 Package            
>                             Version             Severity    Status            
>                    CVSS
> -----              --                  ---                 -------            
>                             -------             --------    ------            
>                    ----
> solr:8.4.1-slim    57561b4889690532    CVE-2019-16335      
> com.fasterxml.jackson.core_jackson-databind    2.4.0               critical   
>  fixed in 2.9.10                      9.8
> solr:8.4.1-slim    57561b4889690532    CVE-2020-8840       
> com.fasterxml.jackson.core_jackson-databind    2.4.0               critical   
>                                       9.8
> solr:8.4.1-slim    57561b4889690532    CVE-2020-11620      
> com.fasterxml.jackson.core_jackson-databind    2.4.0               critical   
>  fixed in 2.9.10.4                    9.8
> solr:8.4.1-slim    57561b4889690532    CVE-2020-9546       
> com.fasterxml.jackson.core_jackson-databind    2.4.0               critical   
>  fixed in 2.9.10.4                    9.8
> solr:8.4.1-slim    57561b4889690532    CVE-2020-9547       
> com.fasterxml.jackson.core_jackson-databind    2.4.0               critical   
>  fixed in 2.9.10.4                    9.8
> solr:8.4.1-slim    57561b4889690532    CVE-2019-20445      
> io.netty_netty-codec                           4.1.29.Final        critical   
>  fixed in 4.1.44                      9.1
> solr:8.4.1-slim    57561b4889690532    CVE-2020-9548       
> com.fasterxml.jackson.core_jackson-databind    2.4.0               critical   
>  fixed in 2.9.10.4                    9.8
> solr:8.4.1-slim    57561b4889690532    CVE-2017-15095      
> com.fasterxml.jackson.core_jackson-databind    2.4.0               critical   
>  fixed in 2.9.1, 2.8.10               9.8
> solr:8.4.1-slim    57561b4889690532    CVE-2018-14718      
> com.fasterxml.jackson.core_jackson-databind    2.4.0               critical   
>  fixed in 2.9.7                       9.8
> solr:8.4.1-slim    57561b4889690532    CVE-2019-16942      
> com.fasterxml.jackson.core_jackson-databind    2.4.0               critical   
>                                       9.8
> solr:8.4.1-slim    57561b4889690532    CVE-2019-14893      
> com.fasterxml.jackson.core_jackson-databind    2.4.0               critical   
>  fixed in 2.10.0, 2.9.10              9.8
> solr:8.4.1-slim    57561b4889690532    CVE-2018-7489       
> com.fasterxml.jackson.core_jackson-databind    2.4.0               critical   
>  fixed in 2.9.5, 2.8.11.1, 2.7.9.3    9.8
> solr:8.4.1-slim    57561b4889690532    CVE-2019-20444      
> io.netty_netty-codec                           4.1.29.Final        critical   
>  fixed in 4.1.44                      9.1
> solr:8.4.1-slim    57561b4889690532    CVE-2019-14540      
> com.fasterxml.jackson.core_jackson-databind    2.4.0               critical   
>  fixed in 2.9.10                      9.8
> solr:8.4.1-slim    57561b4889690532    CVE-2019-16943      
> com.fasterxml.jackson.core_jackson-databind    2.4.0               critical   
>                                       9.8
> solr:8.4.1-slim    57561b4889690532    CVE-2020-11612      
> io.netty_netty-codec                           4.1.29.Final        critical   
>  fixed in 4.1.46                      9.8
> solr:8.4.1-slim    57561b4889690532    CVE-2019-20330      
> com.fasterxml.jackson.core_jackson-databind    2.4.0               critical   
>  fixed in 2.9.10.2                    9.8
> solr:8.4.1-slim    57561b4889690532    CVE-2019-17267      
> com.fasterxml.jackson.core_jackson-databind    2.4.0               critical   
>  fixed in 2.9.10                      9.8
>
>
> On Tue, Jul 21, 2020 at 5:06 PM Erick Erickson <erickerick...@gmail.com>
> wrote:
>
>> Not sure where the Docker image came from, but according to:
>> https://issues.apache.org/jira/browse/SOLR-13818
>>
>> Jackson was upgraded to 2.10.0 in Solr 8.4.
>>
>> > On Jul 21, 2020, at 2:59 PM, Man with No Name <
>> pinkeshsharm...@gmail.com> wrote:
>> >
>> > Hey Guys,
>> > Our team is using Solr 8.4.1 in a kubernetes cluster using the public
>> image
>> > from docker hub. The containers before getting deployed to the cluster
>> > get whitescanned and it lists all the CVEs in the container. This is
>> list
>> > of CVE we have for Solr
>> >
>> > CVE-2020-11619, CVE-2020-11620, CVE-2020-8840, CVE-2019-10088,
>> > CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112,
>> > CVE-2020-11113, CVE-2020-14060, CVE-2020-14061, CVE-2020-14062,
>> > CVE-2020-14195, CVE-2019-10094, CVE-2019-12402
>> >
>> > Most of the CVEs are because of the old version of Jackson-databind,
>> and it
>> > has been fixed in the 2.9.10.4 version. So what would be the best way to
>> > report this and to get it fixed?
>> >
>> >
>> > CVE is a list of entries — each containing an identification number, a
>> > description, and at least one public reference — for publicly known
>> > cybersecurity vulnerabilities.
>> >
>> > --
>> > Regards:
>> > Pinkesh Sharma
>>
>>
>
> --
> Regards:
> Pinkesh Sharma
>
-- 
Sent from Gmail for IPhone

Re: Cybersecurity Incident Report

Reply via email to