You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@lucene.apache.org by Praveen Kamath <pr...@acquia.com> on 2024/01/08 06:43:17 UTC

CVEs reported in Solr 8.11.2

Hey Team,

Greetings for the day. This is Praveen from Acquia - one of your Solr
customers.
We recently ran an ORCA scan on our solr instances and got to know of
several vulnerabilities in Lucene 8.11.2. I couldn't find any tickets
regarding vulnerability reported in bcprov-jdk15on-1.69.jar (1.69):
org.bouncycastle:bcprov-jdk15on library in your issue tracker
<https://issues.apache.org/jira/>.
I want to raise a ticket for this. Kindly help me with the process to do so.

Thanks and regards,
Praveen Kamath
Staff Engineer, Acquia

Re: CVEs reported in Solr 8.11.2

Posted by Mikhail Khludnev <mk...@apache.org>.

Hello Praveen,
IIRC this jar is used only by Tika (Solr Cell) module which is disabled by
default. So, it's up to user to turn on this vulnerability.

On Mon, Jan 8, 2024 at 9:55 AM Praveen Kamath <pr...@acquia.com>
wrote:

> Hey Team,
>
> Greetings for the day. This is Praveen from Acquia - one of your Solr
> customers.
> We recently ran an ORCA scan on our solr instances and got to know of
> several vulnerabilities in Lucene 8.11.2. I couldn't find any tickets
> regarding vulnerability reported in bcprov-jdk15on-1.69.jar (1.69):
> org.bouncycastle:bcprov-jdk15on library in your issue tracker
> <https://issues.apache.org/jira/>.
> I want to raise a ticket for this. Kindly help me with the process to do
> so.
>
> Thanks and regards,
> Praveen Kamath
> Staff Engineer, Acquia
>


-- 
Sincerely yours
Mikhail Khludnev