You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@solr.apache.org by gi...@apache.org on 2024/01/12 19:49:40 UTC
(solr-site) branch asf-site updated: Automatic Site Publish by Buildbot
This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/solr-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new d4a734c00 Automatic Site Publish by Buildbot
d4a734c00 is described below
commit d4a734c00840a85513c61b1943be217993126de5
Author: buildbot <us...@infra.apache.org>
AuthorDate: Fri Jan 12 19:49:37 2024 +0000
Automatic Site Publish by Buildbot
---
output/community.html | 2 +-
output/downloads.html | 2 +-
output/editing-website.html | 2 +-
output/features.html | 2 +-
output/feeds/all.atom.xml | 20 +++++++++-
output/feeds/solr/security.atom.xml | 20 +++++++++-
output/guide/index.html | 2 +-
output/guide/solr-tutorial.html | 2 +-
output/index.html | 4 +-
output/logos-and-assets.html | 2 +-
output/news.html | 19 ++++++++-
output/operator/articles/explore-v030-gke.html | 2 +-
output/operator/artifacts.html | 2 +-
output/operator/community.html | 2 +-
output/operator/features.html | 2 +-
output/operator/index.html | 4 +-
output/operator/logos-and-assets.html | 2 +-
output/operator/news.html | 2 +-
output/operator/resources.html | 2 +-
output/resources.html | 2 +-
output/security.html | 53 ++++++++++++--------------
output/whoweare.html | 2 +-
22 files changed, 100 insertions(+), 52 deletions(-)
diff --git a/output/community.html b/output/community.html
index 5ede5510e..92d3abf56 100644
--- a/output/community.html
+++ b/output/community.html
@@ -336,7 +336,7 @@ to obtain a personal fork from which you can later contribute your changes based
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2024 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/downloads.html b/output/downloads.html
index 26cb872bb..c98acdccf 100644
--- a/output/downloads.html
+++ b/output/downloads.html
@@ -331,7 +331,7 @@ Due to the voluntary nature of Solr, no releases are scheduled in advance.</p>
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2024 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/editing-website.html b/output/editing-website.html
index 841e596c6..c975ee6dc 100644
--- a/output/editing-website.html
+++ b/output/editing-website.html
@@ -223,7 +223,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2024 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/features.html b/output/features.html
index e12b3d4a7..947b6015f 100644
--- a/output/features.html
+++ b/output/features.html
@@ -1081,7 +1081,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2024 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/feeds/all.atom.xml b/output/feeds/all.atom.xml
index 5ce24473f..291989a92 100644
--- a/output/feeds/all.atom.xml
+++ b/output/feeds/all.atom.xml
@@ -1,5 +1,23 @@
<?xml version="1.0" encoding="utf-8"?>
-<feed xmlns="http://www.w3.org/2005/Atom"><title>Apache Solr</title><link href="/" rel="alternate"></link><link href="/feeds/all.atom.xml" rel="self"></link><id>/</id><updated>2023-10-20T00:00:00+00:00</updated><subtitle></subtitle><subtitle></subtitle><entry><title>Apache Solr Operator™ v0.8.0 available</title><link href="/apache-solr-operatortm-v080-available.html" rel="alternate"></link><published>2023-10-20T00:00:00+00:00</published><updated>2023-10-20T00:00:00+00:00</updated><author [...]
+<feed xmlns="http://www.w3.org/2005/Atom"><title>Apache Solr</title><link href="/" rel="alternate"></link><link href="/feeds/all.atom.xml" rel="self"></link><id>/</id><updated>2024-01-12T00:00:00+00:00</updated><subtitle></subtitle><subtitle></subtitle><entry><title>Apache Solr allows read access to host environment variables</title><link href="/apache-solr-allows-read-access-to-host-environment-variables.html" rel="alternate"></link><published>2024-01-12T00:00:00+00:00</published><updat [...]
+Solr 9.0 to 9.2.1</p>
+<p><strong>Description:</strong>
+Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.
+The Solr Metrics API publishes all unprotected environment variables available to each Apache Solr instance.
+Users are able to specify which environment variables to hide, however, the default …</p></summary><content type="html"><p><strong>Versions Affected:</strong>
+Solr 9.0 to 9.2.1</p>
+<p><strong>Description:</strong>
+Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.
+The Solr Metrics API publishes all unprotected environment variables available to each Apache Solr instance.
+Users are able to specify which environment variables to hide, however, the default list is designed to work for known secret Java system properties.
+Environment variables cannot be strictly defined in Solr, like Java system properties can be, and may be set for the entire host, unlike Java system properties which are set per-Java-process.</p>
+<p>The Solr Metrics API is protected by the "metrics-read" permission.
+Therefore, Solr Clouds with Authorization setup will only be vulnerable via users with the "metrics-read" permission.</p>
+<p><strong>Mitigation:</strong>
+Users are recommended to upgrade to version 9.3.0 or later, in which environment variables are not published via the Metrics API.</p>
+<p><strong>References:</strong>
+https://nvd.nist.gov/vuln/detail/CVE-2023-50290
+https://issues.apache.org/jira/browse/SOLR-16808</p></content><category term="solr/security"></category></entry><entry><title>Apache Solr Operator™ v0.8.0 available</title><link href="/apache-solr-operatortm-v080-available.html" rel="alternate"></link><published>2023-10-20T00:00:00+00:00</published><updated>2023-10-20T00:00:00+00:00</updated><author><name>Solr Developers</name></author><id>tag:None,2023-10-20:/apache-solr-operatortm-v080-available.html</id><summary type="html">< [...]
<p>The Apache Solr Operator is a safe and easy way of managing a Solr ecosystem in Kubernetes.</p>
<p>This release contains numerous bug fixes, optimizations, and improvements, some of which are highlighted below …</p></summary><content type="html"><p>The Apache Solr PMC is pleased to announce the release of the Apache Solr Operator v0.8.0.</p>
<p>The Apache Solr Operator is a safe and easy way of managing a Solr ecosystem in Kubernetes.</p>
diff --git a/output/feeds/solr/security.atom.xml b/output/feeds/solr/security.atom.xml
index bf272a90a..0af2cbc42 100644
--- a/output/feeds/solr/security.atom.xml
+++ b/output/feeds/solr/security.atom.xml
@@ -1,5 +1,23 @@
<?xml version="1.0" encoding="utf-8"?>
-<feed xmlns="http://www.w3.org/2005/Atom"><title>Apache Solr - solr/security</title><link href="/" rel="alternate"></link><link href="/feeds/solr/security.atom.xml" rel="self"></link><id>/</id><updated>2022-11-20T00:00:00+00:00</updated><subtitle></subtitle><subtitle></subtitle><entry><title>Apache Solr is vulnerable to CVE-2022-39135 via /sql handler</title><link href="/apache-solr-is-vulnerable-to-cve-2022-39135-via-sql-handler.html" rel="alternate"></link><published>2022-11-20T00:00:0 [...]
+<feed xmlns="http://www.w3.org/2005/Atom"><title>Apache Solr - solr/security</title><link href="/" rel="alternate"></link><link href="/feeds/solr/security.atom.xml" rel="self"></link><id>/</id><updated>2024-01-12T00:00:00+00:00</updated><subtitle></subtitle><subtitle></subtitle><entry><title>Apache Solr allows read access to host environment variables</title><link href="/apache-solr-allows-read-access-to-host-environment-variables.html" rel="alternate"></link><published>2024-01-12T00:00: [...]
+Solr 9.0 to 9.2.1</p>
+<p><strong>Description:</strong>
+Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.
+The Solr Metrics API publishes all unprotected environment variables available to each Apache Solr instance.
+Users are able to specify which environment variables to hide, however, the default …</p></summary><content type="html"><p><strong>Versions Affected:</strong>
+Solr 9.0 to 9.2.1</p>
+<p><strong>Description:</strong>
+Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.
+The Solr Metrics API publishes all unprotected environment variables available to each Apache Solr instance.
+Users are able to specify which environment variables to hide, however, the default list is designed to work for known secret Java system properties.
+Environment variables cannot be strictly defined in Solr, like Java system properties can be, and may be set for the entire host, unlike Java system properties which are set per-Java-process.</p>
+<p>The Solr Metrics API is protected by the "metrics-read" permission.
+Therefore, Solr Clouds with Authorization setup will only be vulnerable via users with the "metrics-read" permission.</p>
+<p><strong>Mitigation:</strong>
+Users are recommended to upgrade to version 9.3.0 or later, in which environment variables are not published via the Metrics API.</p>
+<p><strong>References:</strong>
+https://nvd.nist.gov/vuln/detail/CVE-2023-50290
+https://issues.apache.org/jira/browse/SOLR-16808</p></content><category term="solr/security"></category></entry><entry><title>Apache Solr is vulnerable to CVE-2022-39135 via /sql handler</title><link href="/apache-solr-is-vulnerable-to-cve-2022-39135-via-sql-handler.html" rel="alternate"></link><published>2022-11-20T00:00:00+00:00</published><updated>2022-11-20T00:00:00+00:00</updated><author><name>Solr Developers</name></author><id>tag:None,2022-11-20:/apache-solr-is-vulnerable-to [...]
Solr 6.5 to 8.11.2
Solr 9.0</p>
<p><strong>Description:</strong>
diff --git a/output/guide/index.html b/output/guide/index.html
index 7563e12f1..6e0019b2d 100644
--- a/output/guide/index.html
+++ b/output/guide/index.html
@@ -219,7 +219,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2024 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/guide/solr-tutorial.html b/output/guide/solr-tutorial.html
index 669cbbc29..48a655bb1 100644
--- a/output/guide/solr-tutorial.html
+++ b/output/guide/solr-tutorial.html
@@ -190,7 +190,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2024 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/index.html b/output/index.html
index 1631d25d7..deecd1900 100644
--- a/output/index.html
+++ b/output/index.html
@@ -112,7 +112,7 @@
</div>
<div class="header-fill"></div>
-<section class="security" latest-date="2022-11-20">
+<section class="security" latest-date="2024-01-12">
<div class="row">
<div class="large-12 columns text-center">
<h2><a href="security.html">⚠ There are recent security announcements. Read more on the Security page.</a></h2>
@@ -419,7 +419,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2024 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/logos-and-assets.html b/output/logos-and-assets.html
index 3fb2c2df2..31bd95a45 100644
--- a/output/logos-and-assets.html
+++ b/output/logos-and-assets.html
@@ -243,7 +243,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2024 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/news.html b/output/news.html
index bde5de18d..c1d95dcd2 100644
--- a/output/news.html
+++ b/output/news.html
@@ -132,6 +132,23 @@
<h1 id="solr-news">Solr<sup>™</sup> News<a class="headerlink" href="#solr-news" title="Permanent link">¶</a></h1>
<p>You may also read these news as an <a href="/feeds/solr/news.atom.xml">ATOM feed</a>.</p>
+ <h2 id="apache-solr-allows-read-access-to-host-environment-variables">12 January 2024, Apache Solr allows read access to host environment variables
+ <a class="headerlink" href="#apache-solr-allows-read-access-to-host-environment-variables" title="Permanent link">¶</a>
+ </h2>
+ <p><strong>Versions Affected:</strong>
+Solr 9.0 to 9.2.1</p>
+<p><strong>Description:</strong>
+Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.
+The Solr Metrics API publishes all unprotected environment variables available to each Apache Solr instance.
+Users are able to specify which environment variables to hide, however, the default list is designed to work for known secret Java system properties.
+Environment variables cannot be strictly defined in Solr, like Java system properties can be, and may be set for the entire host, unlike Java system properties which are set per-Java-process.</p>
+<p>The Solr Metrics API is protected by the "metrics-read" permission.
+Therefore, Solr Clouds with Authorization setup will only be vulnerable via users with the "metrics-read" permission.</p>
+<p><strong>Mitigation:</strong>
+Users are recommended to upgrade to version 9.3.0 or later, in which environment variables are not published via the Metrics API.</p>
+<p><strong>References:</strong>
+https://nvd.nist.gov/vuln/detail/CVE-2023-50290
+https://issues.apache.org/jira/browse/SOLR-16808</p>
<h2 id="apache-solrtm-940-available">15 October 2023, Apache Solr™ 9.4.0 available
<a class="headerlink" href="#apache-solrtm-940-available" title="Permanent link">¶</a>
</h2>
@@ -4069,7 +4086,7 @@ file included with the release for a full list of details.</p>
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2024 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/operator/articles/explore-v030-gke.html b/output/operator/articles/explore-v030-gke.html
index ef6b337f3..1914e27d4 100644
--- a/output/operator/articles/explore-v030-gke.html
+++ b/output/operator/articles/explore-v030-gke.html
@@ -1009,7 +1009,7 @@ Let’s us know, we’re on slack <a href="https://kubernetes.slack.com/messages
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2024 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/operator/artifacts.html b/output/operator/artifacts.html
index cddd2882e..f1e17db23 100644
--- a/output/operator/artifacts.html
+++ b/output/operator/artifacts.html
@@ -340,7 +340,7 @@ Source releases are provided for the operator, however binaries are only provide
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2024 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/operator/community.html b/output/operator/community.html
index 0c3ef2126..44313ed7a 100644
--- a/output/operator/community.html
+++ b/output/operator/community.html
@@ -233,7 +233,7 @@ to obtain a personal fork from which you can later contribute your changes throu
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2024 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/operator/features.html b/output/operator/features.html
index a1e1d8369..2d1c6b8e6 100644
--- a/output/operator/features.html
+++ b/output/operator/features.html
@@ -391,7 +391,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2024 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/operator/index.html b/output/operator/index.html
index eb8b67f9c..799fa1f73 100644
--- a/output/operator/index.html
+++ b/output/operator/index.html
@@ -107,7 +107,7 @@
</div>
<div class="header-fill"></div>
-<section class="security" latest-date="2022-11-20">
+<section class="security" latest-date="2024-01-12">
<div class="row">
<div class="large-12 columns text-center">
<h2><a href="/security.html">⚠ There are recent security announcements. Read more on the Solr Security page.</a></h2>
@@ -476,7 +476,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2024 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/operator/logos-and-assets.html b/output/operator/logos-and-assets.html
index 2b4683dc2..a5bd78327 100644
--- a/output/operator/logos-and-assets.html
+++ b/output/operator/logos-and-assets.html
@@ -226,7 +226,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2024 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/operator/news.html b/output/operator/news.html
index e593bf63a..07f9dee6c 100644
--- a/output/operator/news.html
+++ b/output/operator/news.html
@@ -406,7 +406,7 @@ Make sure to run the new <code>make prepare</code> command before submitting a P
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2024 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/operator/resources.html b/output/operator/resources.html
index 1e67bac8d..c27996834 100644
--- a/output/operator/resources.html
+++ b/output/operator/resources.html
@@ -234,7 +234,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2024 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/resources.html b/output/resources.html
index dcbc896c5..bfc9362bd 100644
--- a/output/resources.html
+++ b/output/resources.html
@@ -381,7 +381,7 @@ Rafał Kuć is proud to introduce a new book on Solr, <a href="http://www.packtp
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2024 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/security.html b/output/security.html
index 3568a6046..a6b42b78e 100644
--- a/output/security.html
+++ b/output/security.html
@@ -187,6 +187,11 @@ with you to see if we can provide this information in other variations or format
<th width="95">Date</th>
<th>Announcement</th>
</tr>
+ <tr>
+ <td><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-50290">CVE-2023-50290</a></td>
+ <td>2024-01-12</td>
+ <td><a href="#apache-solr-allows-read-access-to-host-environment-variables">Apache Solr allows read access to host environment variables</a></td>
+ </tr>
<tr>
<td><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-39135">CVE-2022-39135</a></td>
<td>2022-11-20</td>
@@ -257,13 +262,26 @@ with you to see if we can provide this information in other variations or format
<td>2019-03-06</td>
<td><a href="#cve-2019-0192-deserialization-of-untrusted-data-via-jmxserviceurl-in-apache-solr">Deserialization of untrusted data via jmx.serviceUrl in Apache Solr</a></td>
</tr>
- <tr>
- <td><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-3164">CVE-2017-3164</a></td>
- <td>2019-02-12</td>
- <td><a href="#cve-2017-3164-ssrf-issue-in-apache-solr">SSRF issue in Apache Solr</a></td>
- </tr>
</table>
+ <h2 id="apache-solr-allows-read-access-to-host-environment-variables">2024-01-12, Apache Solr allows read access to host environment variables
+ <a class="headerlink" href="#apache-solr-allows-read-access-to-host-environment-variables" title="Permanent link">¶</a>
+ </h2>
+ <p><strong>Versions Affected:</strong>
+Solr 9.0 to 9.2.1</p>
+<p><strong>Description:</strong>
+Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.
+The Solr Metrics API publishes all unprotected environment variables available to each Apache Solr instance.
+Users are able to specify which environment variables to hide, however, the default list is designed to work for known secret Java system properties.
+Environment variables cannot be strictly defined in Solr, like Java system properties can be, and may be set for the entire host, unlike Java system properties which are set per-Java-process.</p>
+<p>The Solr Metrics API is protected by the "metrics-read" permission.
+Therefore, Solr Clouds with Authorization setup will only be vulnerable via users with the "metrics-read" permission.</p>
+<p><strong>Mitigation:</strong>
+Users are recommended to upgrade to version 9.3.0 or later, in which environment variables are not published via the Metrics API.</p>
+<p><strong>References:</strong>
+https://nvd.nist.gov/vuln/detail/CVE-2023-50290
+https://issues.apache.org/jira/browse/SOLR-16808</p>
+ <hr/>
<h2 id="apache-solr-is-vulnerable-to-cve-2022-39135-via-sql-handler">2022-11-20, Apache Solr is vulnerable to CVE-2022-39135 via /sql handler
<a class="headerlink" href="#apache-solr-is-vulnerable-to-cve-2022-39135-via-sql-handler" title="Permanent link">¶</a>
</h2>
@@ -655,29 +673,6 @@ Michael Stepankin</p>
<ul>
<li><a href="https://issues.apache.org/jira/browse/SOLR-13301">https://issues.apache.org/jira/browse/SOLR-13301</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity">https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity</a></li>
-</ul>
- <hr/>
- <h2 id="cve-2017-3164-ssrf-issue-in-apache-solr">2019-02-12, CVE-2017-3164: SSRF issue in Apache Solr
- <a class="headerlink" href="#cve-2017-3164-ssrf-issue-in-apache-solr" title="Permanent link">¶</a>
- </h2>
- <p><strong>Severity:</strong> High</p>
-<p><strong>Vendor:</strong><br>
-The Apache Software Foundation</p>
-<p><strong>Versions Affected:</strong>
-Apache Solr versions from 1.3 to 7.6.0</p>
-<p><strong>Description:</strong><br>
-The "shards" parameter does not have a corresponding whitelist mechanism,
-so it can request any URL.</p>
-<p><strong>Mitigation:</strong><br>
-Upgrade to Apache Solr 7.7.0 or later.
-Ensure your network settings are configured so that only trusted traffic is
-allowed to ingress/egress your hosts running Solr.</p>
-<p><strong>Credit:</strong><br>
-dk from Chaitin Tech</p>
-<p><strong>References:</strong></p>
-<ul>
-<li><a href="https://issues.apache.org/jira/browse/SOLR-12770">https://issues.apache.org/jira/browse/SOLR-12770</a></li>
-<li><a href="https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity">https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity</a></li>
</ul>
<hr/>
<h1 id="cve-reports-for-apache-solr-dependencies">CVE reports for Apache Solr dependencies</h1>
@@ -1106,7 +1101,7 @@ dk from Chaitin Tech</p>
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2024 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/whoweare.html b/output/whoweare.html
index 7cd09b7b6..fcc2f1484 100644
--- a/output/whoweare.html
+++ b/output/whoweare.html
@@ -259,7 +259,7 @@ have direct write access to the source repositories. Developers may be invited a
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2024 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.