Solr follows the ASF policy for reporting vulnerabilities, described in this page on our website: https://lucene.apache.org/solr/security.html. This page also lists known vulnerabilities that have been addressed, with their mitigation steps.
Scanning tools are commonly full of false positives so for this reason the community does not accept the unfiltered scanner output such as a spreadsheet as a vulnerability report. We attempt to maintain a list of known false positives (also linked from the website) at: https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools. But in all honestly such a list is really hard to keep up with. Exact versions in your report may differ from what’s on the list, but usually the general conclusion that it’s not an exploitable issue remains. For example, our list notes a CVE for ‘dom4j-1.6.1.jar' is not an exploitable vulnerability because it is only used in tests. If a CVE comes out for ‘dom4j-1.7.3.jar’ (if such a version exists), the fact remains that the dependency is only used in tests and is still not exploitable in a production system. If you do find a real vulnerability you are concerned about, ASF policy is for you to privately report it to the community so it can be addressed before hackers have a chance to attempt to exploit user systems. How to do that is also described in the Security page in our website linked above. -Cassandra On Sep 28, 2020, 2:07 PM -0500, Narayanan, Lakshmi <lakshmi.naraya...@mmc.com.invalid>, wrote: > Hello Solr-User Support team > We have installed the SOLR 8.6.2 package into docker container in our DEV > environment. Prior to using it, our security team scanned the docker image > using SysDig and found a lot of Critical/High/Medium vulnerabilities. The > full list is in the attached spreadsheet > > Scan Summary > 30 STOPS 190 WARNS 188 Vulnerabilities > > Please advise or point us to how/where to get a package that has been patched > for the Critical/High/Medium vulnerabilities in the attached spreadsheet > Your help will be gratefully received > > > Lakshmi Narayanan > Marsh & McLennan Companies > 121 River Street, Hoboken,NJ-07030 > 201-284-3345 > M: 845-300-3809 > Email: lakshmi.naraya...@mmc.com > > > > > > ********************************************************************** > This e-mail, including any attachments that accompany it, may contain > information that is confidential or privileged. This e-mail is > intended solely for the use of the individual(s) to whom it was intended to be > addressed. If you have received this e-mail and are not an intended recipient, > any disclosure, distribution, copying or other use or > retention of this email or information contained within it are prohibited. > If you have received this email in error, please immediately > reply to the sender via e-mail and also permanently > delete all copies of the original message together with any of its attachments > from your computer or device. > **********************************************************************