You’re absolutely right. Some of these are shadow jars and sone directly used. Like netty, we're securing the communication using tls and the netty cve applies.
So going back to the initial question, what would be the best way to report this, so that it can be looked at? On Fri, Jul 24, 2020 at 7:35 PM Shawn Heisey <apa...@elyograg.org> wrote: > On 7/24/2020 2:35 PM, Man with No Name wrote: > > This version of jackson is pulled in as a shadow jar. Also solr is using > > io.netty version 4.1.29.Final which has critical vulnerabilities which > > are fixed in 4.1.44. > > It looks like that shaded jackson library is included in the jar for > htrace. I looked through the commit history and learned that htrace is > included for the HDFS support in Solr. Which means that if you are not > using the HDFS capability, then htrace will not be used, so the older > jackson library will not be used either. > > If you are not using TLS connections from SolrCloud to ZooKeeper, then > your install of Solr will not be using the netty library, and > vulnerabilities in netty will not apply. > > The older version of Guava is pulled in with a jar from carrot2. If > your Solr install does not use carrot2 clustering, then that version of > Guava will never be called. > > The commons-compress and tika libraries are only used if you have > configured the extraction contrib, also known as SolrCell. This contrib > module is used to index rich-text documents, such as PDF and Word. > Because it makes Solr unstable, we strongly recommend that nobody should > use SolrCell in production. When rich-text documents need to be > indexed, it should be accomplished by using Tika outside of Solr... and > if that recommendation is followed, you can control the version used so > that the well-known vulnerabilities will not be present. > > We have always recommended that Solr should be located in a network > place that can only be reached by systems and people who are authorized. > If that is done, then nobody will be able to exploit any > vulnerabilities that might exist in Solr unless they first successfully > break into an authorized system. > > We do take these reports of vulnerabilities seriously and close them as > quickly as we can. > > Thanks, > Shawn > -- Sent from Gmail for IPhone
