Any help on this.? On Wed, Jul 22, 2020 at 4:25 PM Man with No Name <pinkeshsharm...@gmail.com> wrote:
> The image is pulled from docker hub. After scanning the image from docker > hub, without any modification, this is the list of CVE we're getting. > > > Image ID CVE Package > Version Severity Status > CVSS > ----- -- --- ------- > ------- -------- ------ > ---- > solr:8.4.1-slim 57561b4889690532 CVE-2019-16335 > com.fasterxml.jackson.core_jackson-databind 2.4.0 critical > fixed in 2.9.10 9.8 > solr:8.4.1-slim 57561b4889690532 CVE-2020-8840 > com.fasterxml.jackson.core_jackson-databind 2.4.0 critical > 9.8 > solr:8.4.1-slim 57561b4889690532 CVE-2020-11620 > com.fasterxml.jackson.core_jackson-databind 2.4.0 critical > fixed in 2.9.10.4 9.8 > solr:8.4.1-slim 57561b4889690532 CVE-2020-9546 > com.fasterxml.jackson.core_jackson-databind 2.4.0 critical > fixed in 2.9.10.4 9.8 > solr:8.4.1-slim 57561b4889690532 CVE-2020-9547 > com.fasterxml.jackson.core_jackson-databind 2.4.0 critical > fixed in 2.9.10.4 9.8 > solr:8.4.1-slim 57561b4889690532 CVE-2019-20445 > io.netty_netty-codec 4.1.29.Final critical > fixed in 4.1.44 9.1 > solr:8.4.1-slim 57561b4889690532 CVE-2020-9548 > com.fasterxml.jackson.core_jackson-databind 2.4.0 critical > fixed in 2.9.10.4 9.8 > solr:8.4.1-slim 57561b4889690532 CVE-2017-15095 > com.fasterxml.jackson.core_jackson-databind 2.4.0 critical > fixed in 2.9.1, 2.8.10 9.8 > solr:8.4.1-slim 57561b4889690532 CVE-2018-14718 > com.fasterxml.jackson.core_jackson-databind 2.4.0 critical > fixed in 2.9.7 9.8 > solr:8.4.1-slim 57561b4889690532 CVE-2019-16942 > com.fasterxml.jackson.core_jackson-databind 2.4.0 critical > 9.8 > solr:8.4.1-slim 57561b4889690532 CVE-2019-14893 > com.fasterxml.jackson.core_jackson-databind 2.4.0 critical > fixed in 2.10.0, 2.9.10 9.8 > solr:8.4.1-slim 57561b4889690532 CVE-2018-7489 > com.fasterxml.jackson.core_jackson-databind 2.4.0 critical > fixed in 2.9.5, 2.8.11.1, 2.7.9.3 9.8 > solr:8.4.1-slim 57561b4889690532 CVE-2019-20444 > io.netty_netty-codec 4.1.29.Final critical > fixed in 4.1.44 9.1 > solr:8.4.1-slim 57561b4889690532 CVE-2019-14540 > com.fasterxml.jackson.core_jackson-databind 2.4.0 critical > fixed in 2.9.10 9.8 > solr:8.4.1-slim 57561b4889690532 CVE-2019-16943 > com.fasterxml.jackson.core_jackson-databind 2.4.0 critical > 9.8 > solr:8.4.1-slim 57561b4889690532 CVE-2020-11612 > io.netty_netty-codec 4.1.29.Final critical > fixed in 4.1.46 9.8 > solr:8.4.1-slim 57561b4889690532 CVE-2019-20330 > com.fasterxml.jackson.core_jackson-databind 2.4.0 critical > fixed in 2.9.10.2 9.8 > solr:8.4.1-slim 57561b4889690532 CVE-2019-17267 > com.fasterxml.jackson.core_jackson-databind 2.4.0 critical > fixed in 2.9.10 9.8 > > > On Tue, Jul 21, 2020 at 5:06 PM Erick Erickson <erickerick...@gmail.com> > wrote: > >> Not sure where the Docker image came from, but according to: >> https://issues.apache.org/jira/browse/SOLR-13818 >> >> Jackson was upgraded to 2.10.0 in Solr 8.4. >> >> > On Jul 21, 2020, at 2:59 PM, Man with No Name < >> pinkeshsharm...@gmail.com> wrote: >> > >> > Hey Guys, >> > Our team is using Solr 8.4.1 in a kubernetes cluster using the public >> image >> > from docker hub. The containers before getting deployed to the cluster >> > get whitescanned and it lists all the CVEs in the container. This is >> list >> > of CVE we have for Solr >> > >> > CVE-2020-11619, CVE-2020-11620, CVE-2020-8840, CVE-2019-10088, >> > CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, >> > CVE-2020-11113, CVE-2020-14060, CVE-2020-14061, CVE-2020-14062, >> > CVE-2020-14195, CVE-2019-10094, CVE-2019-12402 >> > >> > Most of the CVEs are because of the old version of Jackson-databind, >> and it >> > has been fixed in the 2.9.10.4 version. So what would be the best way to >> > report this and to get it fixed? >> > >> > >> > CVE is a list of entries — each containing an identification number, a >> > description, and at least one public reference — for publicly known >> > cybersecurity vulnerabilities. >> > >> > -- >> > Regards: >> > Pinkesh Sharma >> >> > > -- > Regards: > Pinkesh Sharma > -- Sent from Gmail for IPhone