Vulnerabilities detected by AWS inspector scan for v8.11.2-r0

[Ng Pei Shan <pe...@websparks.sg>]

Hi there,

We are using Solr container image for our application. AWS Inspector Scan has reflected some vulnerabilities on the libraries.
May I know if this is the correct channel to seek help in the resolution of the below vulnerabilities?

Container image used: 8.11.2-r0
Platform: Debian 11

Below are the vulnerabilities reflected:
CVE-2022-25168<https://github.com/advisories/GHSA-8wm5-8h9c-47pc> - org.apache.hadoop:hadoop-common
CVE-2022-26612<https://github.com/advisories/GHSA-gx2c-fvhc-ph4j> - org.apache.hadoop:hadoop-common
CVE-2021-37404<https://github.com/advisories/GHSA-rmpj-7c96-mrg8> - org.apache.hadoop:hadoop-common
CVE-2020-10650<https://github.com/advisories/GHSA-rpr3-cw39-3pxh> - com.fasterxml.jackson.core:jackson-databind

Affected library:
hadoop-common-3.2.2.jar
htrace-core4-4.1.0-incubating.jar

Best Regards,
[cid:image001.png@01D9351A.0FDACE40]<http://www.websparks.sg/>
  Ng Pei Shan,
  Project Manager

  Websparks Pte Ltd
  61 Kaki Bukit Avenue 1, Shun Li Industrial Park #04-08 Singapore 417943
  (O): +65 6292-4654   (M) +65 9710-2851
  http://www.websparks.sg<http://www.websparks.sg/> | * - Adding the sparkles to your web presence! - *


________________________________


"This email is confidential and may be privileged. If you are not the intended recipient, please delete it and notify us immediately; you should not copy or use it for any purpose, nor disclose its contents to any other person. Thank you."

________________________________

"This email is confidential and may be privileged. If you are not the intended recipient, please delete it and notify us immediately; you should not copy or use it for any purpose, nor disclose its contents to any other person. Thank you."

Re: Vulnerabilities detected by AWS inspector scan for v8.11.2-r0

[Kevin Watters <kw...@kmwllc.com>]

Hi Ng,
  We maintain a custom build of solr that fixes all of those (and many
more) on the 8.11.x branch.  Let me know if you're interested and if so
perhaps we can set up a time to chat about it.
Best Regards,
  -Kevin Watters
   KMW Technology

On Mon, Jan 30, 2023 at 2:26 PM Ng Pei Shan <pe...@websparks.sg> wrote:

> Hi there,
>
> We are using Solr container image for our application. AWS Inspector Scan
> has reflected some vulnerabilities on the libraries.
> May I know if this is the correct channel to seek help in the resolution
> of the below vulnerabilities?
>
> Container image used: 8.11.2-r0
> Platform: Debian 11
>
> Below are the vulnerabilities reflected:
> CVE-2022-25168 <https://github.com/advisories/GHSA-8wm5-8h9c-47pc> -
> org.apache.hadoop:hadoop-common
> CVE-2022-26612 <https://github.com/advisories/GHSA-gx2c-fvhc-ph4j> -
> org.apache.hadoop:hadoop-common
> CVE-2021-37404 <https://github.com/advisories/GHSA-rmpj-7c96-mrg8> -
> org.apache.hadoop:hadoop-common
> CVE-2020-10650 <https://github.com/advisories/GHSA-rpr3-cw39-3pxh> -
> com.fasterxml.jackson.core:jackson-databind
>
> Affected library:
> hadoop-common-3.2.2.jar
> htrace-core4-4.1.0-incubating.jar
>
> Best Regards,
>
> <http://www.websparks.sg/>
>
>   *Ng Pei Shan,*
>   Project Manager
>
>   *Websparks Pte Ltd*
>   61 Kaki Bukit Avenue 1, Shun Li Industrial Park #04-08 Singapore 417943
>   (O): +65 6292-4654   (M) +65 9710-2851
>   http://www.websparks.sg | * - Adding the sparkles to your web presence!
> - *
>
>
>
>
> ------------------------------
>
>
>
>
>
> "This email is confidential and may be privileged. If you are not the
> intended recipient, please delete it and notify us immediately; you should
> not copy or use it for any purpose, nor disclose its contents to any other
> person. Thank you."
>
>
> ------------------------------
>
> "This email is confidential and may be privileged. If you are not the
> intended recipient, please delete it and notify us immediately; you should
> not copy or use it for any purpose, nor disclose its contents to any other
> person. Thank you."
>