Thanks for your reply, and I understand. It is a separate department that is running the vulnerability scans and then reaching out to product owners for mitigation plans. I will relay this info.
It would help (me) if this info was presented on a public-facing solr webpage, but no worries. Thanks again, Jay -----Original Message----- From: Shawn Heisey <[email protected]> Sent: Tuesday, November 1, 2022 9:23 AM To: [email protected] Subject: [External] Re: Upgrade Jackson / SOLR-16443 CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. On 10/31/22 07:26, Silverman, Harry wrote: > I see SOLR-16443 is being addressed in version 9. > > Will this jackson-databind update also be applied to 8.11? In the issue, Kevin indicated that the CVEs are unlikely to affect Solr, and that our current stable branch for 9.x was being updated. We regularly update our dependencies to keep them current. At this time, the change has not been backported to the 8.11 branch. Even if that happens, the problem is not severe enough to warrant a new 8.11.x release. I'm guessing that your motivation comes from running a vulnerability scanner and getting a notification about a vulnerability in the old Solr version. If you cannot just flag those reports as false positives, something you could try is finding all the jackson jars in Solr and replacing them with a version that has the fix. To make sure that there are no issues with internal APIs, you would need to update ALL the jackson jars, not just those with the vulnerability. Jackson has a very stable external API, so that upgrade will PROBABLY work. I can't guarantee that, though. Thanks, Shawn
