When implemented correctly solr has no vulnerabilities. In other words, it will never have a public facing address to even attack, it’s only accessed through your application on a private network
> On Jun 7, 2021, at 4:51 PM, Narayanan, Lakshmi > <[email protected]> wrote: > > Sending to [email protected] > > Lakshmi Narayanan > Marsh & McLennan Companies > 121 River Street, Hoboken,NJ-07030 > 201-284-3345 > M: 845-300-3809 > Email: [email protected]<mailto:[email protected]> > > From: Narayanan, Lakshmi <[email protected]> > Sent: Monday, June 07, 2021 3:28 PM > To: [email protected] > Subject: Vulnerabilities in SOLR 8.8.2 > > Hello SOLR-User Support team > Please advise if there is resolution to the vulnerabilities listed below in > SOLR 8.8.2 > This is preventing us from using the SOLR product > > I have tried to contact this mailgroup fro support before; > Please advise if there is another mailgroup I can reach for SOLR Support? > > Thank you > > Lakshmi Narayanan > Marsh & McLennan Companies > 121 River Street, Hoboken,NJ-07030 > 201-284-3345 > M: 845-300-3809 > Email: [email protected]<mailto:[email protected]> > > Vulnerability > > Severity > > Package > > Package Version > > Package Type > > Package Path > > URL > > Fix > > Stop > > Grace Period Stop > > Known Warn > > VULNDB-180024 > > High > > derby > > 10.9.1.0 > > java > > /opt/solr-8.8.2/example/example-DIH/solr/db/lib/derby-10.9.1.0.jar > > https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-180024 > > 10.14.2.0 > > True > > False > > False > > VULNDB-247944 > > High > > hadoop > > 3.2.0 > > java > > /opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-annotations-3.2.0.jar > > https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-247944 > > 2.10.1, 3.1.4, 3.2.2, 3.3.0 > > True > > False > > False > > VULNDB-247944 > > High > > hadoop > > 3.2.0 > > java > > /opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-auth-3.2.0.jar > > https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-247944 > > 2.10.1, 3.1.4, 3.2.2, 3.3.0 > > True > > False > > False > > VULNDB-247944 > > High > > hadoop > > 3.2.0 > > java > > /opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-common-3.2.0.jar > > https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-247944 > > 2.10.1, 3.1.4, 3.2.2, 3.3.0 > > True > > False > > False > > VULNDB-247944 > > High > > hadoop > > 3.2.0 > > java > > /opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-hdfs-client-3.2.0.jar > > https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-247944 > > 2.10.1, 3.1.4, 3.2.2, 3.3.0 > > True > > False > > False > > VULNDB-223108 > > High > > jackson-databind > > 2.4.0 > > java > > /opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/htrace-core4-4.1.0-incubating.jar:jackson-databind > > https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-223108 > > 2.8.11.5, 2.9.10.3 > > True > > False > > False > > VULNDB-214563 > > High > > jackson-databind > > 2.4.0 > > java > > /opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/htrace-core4-4.1.0-incubating.jar:jackson-databind > > https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-214563 > > 2.10.0, 2.9.10.1 > > True > > False > > False > > > > > > From: Narayanan, Lakshmi > <[email protected]<mailto:[email protected]>> > Sent: Friday, December 11, 2020 11:50 AM > To: [email protected]<mailto:[email protected]> > Subject: FW: Vulnerabilities in SOLR 8.6.2 > > Can anyone please advise? > Who else should be notified to get some guidance on this please?? > > Lakshmi Narayanan > Marsh & McLennan Companies > 121 River Street, Hoboken,NJ-07030 > 201-284-3345 > M: 845-300-3809 > Email: [email protected]<mailto:[email protected]> > > > From: Narayanan, Lakshmi > <[email protected]<mailto:[email protected]>> > Sent: Friday, November 13, 2020 11:21 AM > To: [email protected]<mailto:[email protected]> > Subject: FW: Vulnerabilities in SOLR 8.6.2 > > This is my 5th attempt in the last 60 days > Is there anyone looking at these mails? > Does anyone care?? :( > > > Lakshmi Narayanan > Marsh & McLennan Companies > 121 River Street, Hoboken,NJ-07030 > 201-284-3345 > M: 845-300-3809 > Email: [email protected]<mailto:[email protected]> > > > From: Narayanan, Lakshmi > <[email protected]<mailto:[email protected]>> > Sent: Thursday, October 22, 2020 1:06 PM > To: [email protected]<mailto:[email protected]> > Subject: FW: Vulnerabilities in SOLR 8.6.2 > > This is my 4th attempt to contact > Please advise, if there is a build that fixes these vulnerabilities > > Lakshmi Narayanan > Marsh & McLennan Companies > 121 River Street, Hoboken,NJ-07030 > 201-284-3345 > M: 845-300-3809 > Email: [email protected]<mailto:[email protected]> > > > From: Narayanan, Lakshmi > <[email protected]<mailto:[email protected]>> > Sent: Sunday, October 18, 2020 4:01 PM > To: [email protected]<mailto:[email protected]> > Subject: FW: Vulnerabilities in SOLR 8.6.2 > > SOLR-User Support team > Is there anyone who can answer my question or can point to someone who can > help > I have not had any response for the past 3 weeks !? > Please advise > > > Lakshmi Narayanan > Marsh & McLennan Companies > 121 River Street, Hoboken,NJ-07030 > 201-284-3345 > M: 845-300-3809 > Email: [email protected]<mailto:[email protected]> > > > From: Narayanan, Lakshmi > <[email protected]<mailto:[email protected]>> > Sent: Sunday, October 04, 2020 2:11 PM > To: [email protected]<mailto:[email protected]> > Cc: Chattopadhyay, Salil > <[email protected]<mailto:[email protected]>>; Mutnuri, > Vishnu D <[email protected]<mailto:[email protected]>>; Pathak, > Omkar <[email protected]<mailto:[email protected]>>; Shenouda, Nasir B > <[email protected]<mailto:[email protected]>> > Subject: RE: Vulnerabilities in SOLR 8.6.2 > > Hello Solr-User Support team > Please advise or provide further guidance on the request below > > Thank you! > > Lakshmi Narayanan > Marsh & McLennan Companies > 121 River Street, Hoboken,NJ-07030 > 201-284-3345 > M: 845-300-3809 > Email: [email protected]<mailto:[email protected]> > > > From: Narayanan, Lakshmi > <[email protected]<mailto:[email protected]>> > Sent: Monday, September 28, 2020 1:52 PM > To: [email protected]<mailto:[email protected]> > Cc: Chattopadhyay, Salil > <[email protected]<mailto:[email protected]>>; Mutnuri, > Vishnu D <[email protected]<mailto:[email protected]>>; Pathak, > Omkar <[email protected]<mailto:[email protected]>>; Shenouda, Nasir B > <[email protected]<mailto:[email protected]>> > Subject: Vulnerabilities in SOLR 8.6.2 > Importance: High > > Hello Solr-User Support team > We have installed the SOLR 8.6.2 package into docker container in our DEV > environment. Prior to using it, our security team scanned the docker image > using SysDig and found a lot of Critical/High/Medium vulnerabilities. The > full list is in the attached spreadsheet > > Scan Summary > 30 STOPS 190 WARNS 188 Vulnerabilities > > Please advise or point us to how/where to get a package that has been patched > for the Critical/High/Medium vulnerabilities in the attached spreadsheet > Your help will be gratefully received > > > Lakshmi Narayanan > Marsh & McLennan Companies > 121 River Street, Hoboken,NJ-07030 > 201-284-3345 > M: 845-300-3809 > Email: [email protected]<mailto:[email protected]> > > > > ________________________________ > > > ********************************************************************** > This e-mail, including any attachments that accompany it, may contain > information that is confidential or privileged. This e-mail is > intended solely for the use of the individual(s) to whom it was intended to be > addressed. If you have received this e-mail and are not an intended recipient, > any disclosure, distribution, copying or other use or > retention of this email or information contained within it are prohibited. > If you have received this email in error, please immediately > reply to the sender via e-mail and also permanently > delete all copies of the original message together with any of its attachments > from your computer or device. > **********************************************************************
