You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by Apache Wiki <wi...@apache.org> on 2019/01/04 20:08:36 UTC

[Solr Wiki] Update of "SolrSecurity" by CassandraTargett

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Solr Wiki" for change notification.

The "SolrSecurity" page has been changed by CassandraTargett:
https://wiki.apache.org/solr/SolrSecurity?action=diff&rev1=55&rev2=56

Comment:
Add more reported jars from scans

  = Solr Security =
  
- The authoritative guide on security is in the [[https://lucene.apache.org/solr/guide/securing-solr.html|Reference Guide]]. The rest of this page is tips and tricks beyond what is mentioned in the Refguide.
+ The authoritative guide on implementing security is in the [[https://lucene.apache.org/solr/guide/securing-solr.html|Solr Reference Guide]]. This page describes security features in general, but also provides information about CVEs that have been patched or dependencies which do not require a patch for Solr.
  
  <<TableOfContents>>
  
@@ -144, +144 @@

  The following table lists the dependencies and associated CVEs which are not considered problems for Lucene or Solr.
  
  ||<style="font-weight: bold;">Solr Versions||<style="font-weight: bold;">Jar or Path||<style="font-weight: bold;">Related CVEs||<style="font-weight: bold;">Date Added||<style="font-weight: bold;">Status & Notes||
- || 7.3.1-7.5.0 || `tika-core.1.17.jar` (and earlier, versions reflect 1.17 only) || 2018-1335  || 6 Jun 2018 || Solr does not run tika-server, so this is not a problem.||
+ || 7.3.1-7.5.0 || `tika-core.1.17.jar` (and earlier) || 2018-1335  || 6 Jun 2018 || Solr does not run tika-server, so this is not a problem.||
- || 7.3.1-7.5.0 || `tika-core.1.17.jar` (and earlier, versions reflect 1.17 only) || 2018-1338 & 2018-1339 || 6 Jun 2018 || These issues would only be exploitable if untrusted files are indexed with SolrCell. This is not recommended in production systems as indicated above. Additionally, Solr upgraded to Tika 1.18 in Solr 7.4. ||
+ || 7.3.1-7.5.0 || `tika-core.1.17.jar` (and earlier) || 2018-1338, 2018-1339 || 6 Jun 2018 || These issues would only be exploitable if untrusted files are indexed with SolrCell. This is not recommended in production systems as indicated above. Additionally, Solr upgraded to Tika 1.18 in Solr 7.4. ||
- || 4.7.0-7.3.1 || `jackson-databind-2.5.4.jar` || Several: 2017-15095, 2017-17485, 2017-7525, 2018-5968, 2018-7489 || 6 Jun 2018 || Jackson was upgraded to 2.9.5 in Solr 7.4.||
+ || 4.7.0-7.3.1 || `jackson-databind-2.5.4.jar` (and earlier) || 2017-15095, 2017-17485, 2017-7525, 2018-5968, 2018-7489 || 6 Jun 2018 || Jackson was upgraded to 2.9.5 in Solr 7.4.||
- || 7.3.1 || `lucene-analyzers-icu-7.3.1.jar` || Several: 2014-7940, 2016-6293, 2016-7415, 2017-14952, 2017-17484, 2017-7867, 2017-7868 || 6 Jun 2018 || All of these issues apply to the C++ release of ICU and not ICU4J, which is what Lucene uses. ||
+ || 7.3.1 || `lucene-analyzers-icu-7.3.1.jar` || 2014-7940, 2016-6293, 2016-7415, 2017-14952, 2017-17484, 2017-7867, 2017-7868 || 6 Jun 2018 || All of these issues apply to the C++ release of ICU and not ICU4J, which is what Lucene uses. ||
  || 6.0.0-7.5.0 || `icu4j-56.1.jar`, `icu4j-59.1.jar` || 2017-14952 || 6 Jun 2018 || Issue applies only to the C++ release of ICU and not ICU4J, which is what Lucene uses. ICU4J is at v63.2 as of Lucene/Solr 7.6.0 ||
  || 6.6.1-today || `hadoop-auth-2.7.4.jar` || [[https://www.cvedetails.com/cve/CVE-2017-15718/|2017-15718]] || 6 Jun 2018 || Does not impact Solr because Solr uses Hadoop as a client library. ||
  || 4.9.0-7.5.0 || `commons-beanutils-1.8.3.jar` || 2014-0114 || 6 Jun 2018 || This is only used at compile time and it cannot be used to attack Solr. Since it is generally unnecessary, the dependency has been removed as of 7.5.0. ||
- || 5.5.5, 6.2.0-today || `vorbis-java-tika-0.8.jar` || Several: 2016-6809, 2018-1335, 2018-1338, 2018-1339 || 6 Jun 2018 || See https://github.com/Gagravarr/VorbisJava/issues/30; reported CVEs are not related to OggVorbis at all. ||
+ || 5.5.5, 6.2.0-today || `vorbis-java-tika-0.8.jar` || 2016-6809, 2018-1335, 2018-1338, 2018-1339 || 6 Jun 2018 || See https://github.com/Gagravarr/VorbisJava/issues/30; reported CVEs are not related to OggVorbis at all. ||
  || ~2.9-today || `xercesImpl-2.9.1.jar` || [[https://www.cvedetails.com/cve/CVE-2012-0881/|2012-0881]] || 6 Jun 2018 || Only used in Lucene Benchmarks and Solr tests.  ||
- || 6.6.2-today || `velocity-tools-2.0.jar` contains Apache Struts 2.0.0 || [[https://nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Astruts%3A2.0.0|link to CVEs]] || 3 Nov 2018 || ?? ||
+ || 6.6.2-today || `velocity-tools-2.0.jar` contains Apache Struts 2.0.0 || [[https://nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Astruts%3A2.0.0|link to CVEs]] || 3 Nov 2018 || Solr does not ship a Struts jar. This is a transitive POM listing and not included with Solr (see comment in [[https://issues.apache.org/jira/browse/SOLR-2849?focusedCommentId=13134361&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13134361|SOLR-2849]]). ||
  || 6.5.0-today || `protobuf-java-3.1.0.jar` || [[https://nvd.nist.gov/vuln/detail/CVE-2015-5237|2015-5237]] || 3 Nov 2018 || Dependency for Hadoop and Calcite. ?? ||
  || 4.6.0-today || `derby-10.9.1.0.jar` || || 3 Nov 2018 || Used only in DataImportHandler tests and example implementation, which should not be used in production. ||
+ || 4.6.0-7.6.0 || `junit-4.10.jar` || 2018-1000056 || 31 Dec 2018 || JUnit only used in tests; CVE only refers to a Jenkins plugin not used by Solr. ||
+ || 4.6.0-today || `dom4j-1.6.1.jar` || 2018-1000632 || 31 Dec 2018 || Only used in Solr tests. ||
+ || 5.2.0-today || `org.restlet-2.3.0.jar` || 2017-14868, 2017-14949 || 31 Dec 2018 || Solr should not be exposed outside a firewall where bad actors can send HTTP requests. ||
+ || 4.6.0-today || `commons-compress` (only as part of Ant 1.8.2) || 2012-2098, 2018-1324, 2018-11771 || 31 Dec 2018|| Only used in test framework and at build time. ||
+ || 5.4.0-today || `carrot2-guava-18.0.jar` || 2018-10237 || 31 Dec 2018 || Only used with the Carrot2 clustering engine. ||
+ || 4.6.0-today || `guava-14.0.1.jar` || 2018-10237 || 31 Dec 2018 || ?? ||