docker pull solr:8.4.1-slim docker run -it --rm solr:8.4.1-slim /bin/bash
solr@223042112be5:/opt/solr-8.4.1$ find ./ -name "*jackson*" ./server/solr-webapp/webapp/WEB-INF/lib/jackson-core-2.10.0.jar ./server/solr-webapp/webapp/WEB-INF/lib/jackson-annotations-2.10.0.jar ./server/solr-webapp/webapp/WEB-INF/lib/jackson-dataformat-smile-2.10.0.jar ./server/solr-webapp/webapp/WEB-INF/lib/jackson-databind-2.10.0.jar ./contrib/prometheus-exporter/lib/jackson-jq-0.0.8.jar ./contrib/prometheus-exporter/lib/jackson-core-2.10.0.jar ./contrib/prometheus-exporter/lib/jackson-annotations-2.10.0.jar ./contrib/prometheus-exporter/lib/jackson-databind-2.10.0.jar ./contrib/clustering/lib/jackson-annotations-2.10.0.jar ./contrib/clustering/lib/jackson-databind-2.10.0.jar How does the scanner work? On Thu, Jul 23, 2020 at 11:23 PM Man with No Name <pinkeshsharm...@gmail.com> wrote: > > Any help on this.? > > On Wed, Jul 22, 2020 at 4:25 PM Man with No Name <pinkeshsharm...@gmail.com> > wrote: > > > The image is pulled from docker hub. After scanning the image from docker > > hub, without any modification, this is the list of CVE we're getting. > > > > > > Image ID CVE Package > > Version Severity Status > > CVSS > > ----- -- --- ------- > > ------- -------- ------ > > ---- > > solr:8.4.1-slim 57561b4889690532 CVE-2019-16335 > > com.fasterxml.jackson.core_jackson-databind 2.4.0 critical > > fixed in 2.9.10 9.8 > > solr:8.4.1-slim 57561b4889690532 CVE-2020-8840 > > com.fasterxml.jackson.core_jackson-databind 2.4.0 critical > > 9.8 > > solr:8.4.1-slim 57561b4889690532 CVE-2020-11620 > > com.fasterxml.jackson.core_jackson-databind 2.4.0 critical > > fixed in 2.9.10.4 9.8 > > solr:8.4.1-slim 57561b4889690532 CVE-2020-9546 > > com.fasterxml.jackson.core_jackson-databind 2.4.0 critical > > fixed in 2.9.10.4 9.8 > > solr:8.4.1-slim 57561b4889690532 CVE-2020-9547 > > com.fasterxml.jackson.core_jackson-databind 2.4.0 critical > > fixed in 2.9.10.4 9.8 > > solr:8.4.1-slim 57561b4889690532 CVE-2019-20445 > > io.netty_netty-codec 4.1.29.Final critical > > fixed in 4.1.44 9.1 > > solr:8.4.1-slim 57561b4889690532 CVE-2020-9548 > > com.fasterxml.jackson.core_jackson-databind 2.4.0 critical > > fixed in 2.9.10.4 9.8 > > solr:8.4.1-slim 57561b4889690532 CVE-2017-15095 > > com.fasterxml.jackson.core_jackson-databind 2.4.0 critical > > fixed in 2.9.1, 2.8.10 9.8 > > solr:8.4.1-slim 57561b4889690532 CVE-2018-14718 > > com.fasterxml.jackson.core_jackson-databind 2.4.0 critical > > fixed in 2.9.7 9.8 > > solr:8.4.1-slim 57561b4889690532 CVE-2019-16942 > > com.fasterxml.jackson.core_jackson-databind 2.4.0 critical > > 9.8 > > solr:8.4.1-slim 57561b4889690532 CVE-2019-14893 > > com.fasterxml.jackson.core_jackson-databind 2.4.0 critical > > fixed in 2.10.0, 2.9.10 9.8 > > solr:8.4.1-slim 57561b4889690532 CVE-2018-7489 > > com.fasterxml.jackson.core_jackson-databind 2.4.0 critical > > fixed in 2.9.5, 2.8.11.1, 2.7.9.3 9.8 > > solr:8.4.1-slim 57561b4889690532 CVE-2019-20444 > > io.netty_netty-codec 4.1.29.Final critical > > fixed in 4.1.44 9.1 > > solr:8.4.1-slim 57561b4889690532 CVE-2019-14540 > > com.fasterxml.jackson.core_jackson-databind 2.4.0 critical > > fixed in 2.9.10 9.8 > > solr:8.4.1-slim 57561b4889690532 CVE-2019-16943 > > com.fasterxml.jackson.core_jackson-databind 2.4.0 critical > > 9.8 > > solr:8.4.1-slim 57561b4889690532 CVE-2020-11612 > > io.netty_netty-codec 4.1.29.Final critical > > fixed in 4.1.46 9.8 > > solr:8.4.1-slim 57561b4889690532 CVE-2019-20330 > > com.fasterxml.jackson.core_jackson-databind 2.4.0 critical > > fixed in 2.9.10.2 9.8 > > solr:8.4.1-slim 57561b4889690532 CVE-2019-17267 > > com.fasterxml.jackson.core_jackson-databind 2.4.0 critical > > fixed in 2.9.10 9.8 > > > > > > On Tue, Jul 21, 2020 at 5:06 PM Erick Erickson <erickerick...@gmail.com> > > wrote: > > > >> Not sure where the Docker image came from, but according to: > >> https://issues.apache.org/jira/browse/SOLR-13818 > >> > >> Jackson was upgraded to 2.10.0 in Solr 8.4. > >> > >> > On Jul 21, 2020, at 2:59 PM, Man with No Name < > >> pinkeshsharm...@gmail.com> wrote: > >> > > >> > Hey Guys, > >> > Our team is using Solr 8.4.1 in a kubernetes cluster using the public > >> image > >> > from docker hub. The containers before getting deployed to the cluster > >> > get whitescanned and it lists all the CVEs in the container. This is > >> list > >> > of CVE we have for Solr > >> > > >> > CVE-2020-11619, CVE-2020-11620, CVE-2020-8840, CVE-2019-10088, > >> > CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, > >> > CVE-2020-11113, CVE-2020-14060, CVE-2020-14061, CVE-2020-14062, > >> > CVE-2020-14195, CVE-2019-10094, CVE-2019-12402 > >> > > >> > Most of the CVEs are because of the old version of Jackson-databind, > >> and it > >> > has been fixed in the 2.9.10.4 version. So what would be the best way to > >> > report this and to get it fixed? > >> > > >> > > >> > CVE is a list of entries — each containing an identification number, a > >> > description, and at least one public reference — for publicly known > >> > cybersecurity vulnerabilities. > >> > > >> > -- > >> > Regards: > >> > Pinkesh Sharma > >> > >> > > > > -- > > Regards: > > Pinkesh Sharma > > > -- > Sent from Gmail for IPhone
