Thank you so much for your detailed explanation.
Upon further investigation, I’ve tracked down the root of the vulnerability.
{
"type": "jar",
"name": "net.minidev_json-smart",
"version": "1.3.2",
"path":
"/opt/solr-9.5.0/modules/hdfs/lib/hadoop-client-runtime-3.3.6.jar"
},
This seems to be the root cause of both the CVE-2021-31684 and CVE-2023-36478.
Thanks,
Sean
On 2024/02/14 06:37:35 Shawn Heisey wrote:
> On 2/13/2024 10:06, Shahryar Shagoshtasbi wrote:
> > Thank you for your prompt response.
> > Our scans have detected these CVEs in 9.1 and higher (At least the one we
> > have tested).
> > I’d highly appreciate if you could link me to the appropriate changelog for
> > these changes.
>
> Solr 8.11.3 was announced only five days ago. Solr 8 does not include
> json-smart, so it is not vulnerable to the second CVE. Version 8.11.3
> includes Jetty 9.4.53, which fixes the first CVE. Version 8.11.2 is
> vulnerable.
>
> Solr 9.0 includes json-smart 2.4.7. In 9.4.0 that was upgraded to
> version 9.4.10. All 9.x versions are not vulnerable to the second CVE.
>
> Solr 9.0.x and 9.1.x both include a vulnerable Jetty 9 version. In Solr
> 9.2.0, Jetty was upgraded to Jetty 10.0.13, which is also vulnerable.
> But in Solr 9.4.0 it was upgraded to 10.0.17, which is not vulnerable to
> that CVE. In 9.4.1 and 9.5.0 it was upgraded to 10.0.19.
>
> All versions of Solr before 8.11.3 are no longer supported. 8.11.3 is a
> release in maintenance mode, which means that only significant issues
> with no workaround will be fixed. 8.11.3 will be supported until 8.11.4
> or 10.0.0 is released, and there is no guarantee that 8.11.4 will ever
> happen.
>
> Although technically we are supporting all 9.x versions, vulnerabilities
> in older minor versions (currently 9.4.x and earlier) are only likely to
> be fixed in a new point release in the latest minor version (currently
> 9.5.x) or a new minor version.
>
> Thanks,
> Shawn
>
>
