Solr shouldn't be affected by CVE-2022-25168 based on the CVE description here [1]. Solr is only a HDFS client when used in production code. The Hadoop CVE in question won't be used by Solr code when interacting w/ HDFS as a client.
[1] https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130 Kevin Risden On Tue, Oct 4, 2022 at 7:03 AM Markus Jelsma <[email protected]> wrote: > Hello, > > Some customers that run security scans have seen issues with the 3.2.2 > dependency as well, and asked to solve it. You can do several things: > * not use Solr on HDFS, or Hadoop features, and ignore it > * the same as above but delete the affected JARs > * replace the JARs with their 3.3.3 or 3.3.4 counterparts > > If your don't store your index on HDFS, i would just ignore it, if your IT > department allows you to. > > Regards, > Markus > > Op do 29 sep. 2022 om 18:48 schreef Richard Li <[email protected]>: > > > Hi, > > > > Our vulnerability scanning tool found a vulnerability from Hadoop in Solr > > 8.11.2. More specifically, it is introduced through > > org.apache.solr:[email protected] › > org.apache.hadoop:[email protected]. > > The published vulnerability is listed as CVE-2022-25168: > > https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130 > > > > This vulnerability is not listed on Solr Security News, but also not > under > > the false positives on the SolrSecurity Confluence page. > > > > We were wondering if this is a real vulnerability for Solr and if in > > particular Solr 8.11.2 is affected by this vulnerability? > > > > Thanks in advance. > > > > Kind regards, > > > > Richard > > >
