You are viewing a plain text version of this content. The canonical link for it is here.
Posted to solr-user@lucene.apache.org by "Narayanan, Lakshmi" <la...@mmc.com.INVALID> on 2020/09/28 17:51:57 UTC
Vulnerabilities in SOLR 8.6.2
Hello Solr-User Support team
We have installed the SOLR 8.6.2 package into docker container in our DEV environment. Prior to using it, our security team scanned the docker image using SysDig and found a lot of Critical/High/Medium vulnerabilities. The full list is in the attached spreadsheet
Scan Summary
30 STOPS 190 WARNS 188 Vulnerabilities
Please advise or point us to how/where to get a package that has been patched for the Critical/High/Medium vulnerabilities in the attached spreadsheet
Your help will be gratefully received
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
________________________________
**********************************************************************
This e-mail, including any attachments that accompany it, may contain
information that is confidential or privileged. This e-mail is
intended solely for the use of the individual(s) to whom it was intended to be
addressed. If you have received this e-mail and are not an intended recipient,
any disclosure, distribution, copying or other use or
retention of this email or information contained within it are prohibited.
If you have received this email in error, please immediately
reply to the sender via e-mail and also permanently
delete all copies of the original message together with any of its attachments
from your computer or device.
**********************************************************************
Re: Vulnerabilities in SOLR 8.6.2
Posted by Cassandra Targett <ca...@gmail.com>.
Solr follows the ASF policy for reporting vulnerabilities, described in this page on our website: https://lucene.apache.org/solr/security.html. This page also lists known vulnerabilities that have been addressed, with their mitigation steps.
Scanning tools are commonly full of false positives so for this reason the community does not accept the unfiltered scanner output such as a spreadsheet as a vulnerability report.
We attempt to maintain a list of known false positives (also linked from the website) at: https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools. But in all honestly such a list is really hard to keep up with. Exact versions in your report may differ from what’s on the list, but usually the general conclusion that it’s not an exploitable issue remains. For example, our list notes a CVE for ‘dom4j-1.6.1.jar' is not an exploitable vulnerability because it is only used in tests. If a CVE comes out for ‘dom4j-1.7.3.jar’ (if such a version exists), the fact remains that the dependency is only used in tests and is still not exploitable in a production system.
If you do find a real vulnerability you are concerned about, ASF policy is for you to privately report it to the community so it can be addressed before hackers have a chance to attempt to exploit user systems. How to do that is also described in the Security page in our website linked above.
-Cassandra
On Sep 28, 2020, 2:07 PM -0500, Narayanan, Lakshmi <la...@mmc.com.invalid>, wrote:
> Hello Solr-User Support team
> We have installed the SOLR 8.6.2 package into docker container in our DEV environment. Prior to using it, our security team scanned the docker image using SysDig and found a lot of Critical/High/Medium vulnerabilities. The full list is in the attached spreadsheet
>
> Scan Summary
> 30 STOPS 190 WARNS 188 Vulnerabilities
>
> Please advise or point us to how/where to get a package that has been patched for the Critical/High/Medium vulnerabilities in the attached spreadsheet
> Your help will be gratefully received
>
>
> Lakshmi Narayanan
> Marsh & McLennan Companies
> 121 River Street, Hoboken,NJ-07030
> 201-284-3345
> M: 845-300-3809
> Email: Lakshmi.narayanan@mmc.com
>
>
>
>
>
> **********************************************************************
> This e-mail, including any attachments that accompany it, may contain
> information that is confidential or privileged. This e-mail is
> intended solely for the use of the individual(s) to whom it was intended to be
> addressed. If you have received this e-mail and are not an intended recipient,
> any disclosure, distribution, copying or other use or
> retention of this email or information contained within it are prohibited.
> If you have received this email in error, please immediately
> reply to the sender via e-mail and also permanently
> delete all copies of the original message together with any of its attachments
> from your computer or device.
> **********************************************************************
Re: Vulnerabilities in SOLR 8.6.2
Posted by Walter Underwood <wu...@wunderwood.org>.
1. There is no Solr support team. This is a mailing list of volunteers using the software.
2. I do not recommend running Solr in a Docker container for production.
3. Please review the Solr Jira for security issues. If you believe that there are security vulnerabilities that need to be fixed, open a Jira issue.
https://issues.apache.org/jira/projects/SOLR/issues/SOLR-14792?filter=allopenissues
wunder
Walter Underwood
wunder@wunderwood.org
http://observer.wunderwood.org/ (my blog)
> On Dec 11, 2020, at 8:50 AM, Narayanan, Lakshmi <la...@mmc.com.INVALID> wrote:
>
> Can anyone please advise?
> Who else should be notified to get some guidance on this please??
>
> Lakshmi Narayanan
> Marsh & McLennan Companies
> 121 River Street, Hoboken,NJ-07030
> 201-284-3345
> M: 845-300-3809
> Email: Lakshmi.narayanan@mmc.com <ma...@mmc.com>
>
>
> From: Narayanan, Lakshmi <lakshmi.narayanan@mmc.com <ma...@mmc.com>>
> Sent: Friday, November 13, 2020 11:21 AM
> To: solr-user@lucene.apache.org <ma...@lucene.apache.org>
> Subject: FW: Vulnerabilities in SOLR 8.6.2
>
> This is my 5th attempt in the last 60 days
> Is there anyone looking at these mails?
> Does anyone care?? L
>
>
> Lakshmi Narayanan
> Marsh & McLennan Companies
> 121 River Street, Hoboken,NJ-07030
> 201-284-3345
> M: 845-300-3809
> Email: Lakshmi.narayanan@mmc.com <ma...@mmc.com>
>
>
> From: Narayanan, Lakshmi <lakshmi.narayanan@mmc.com <ma...@mmc.com>>
> Sent: Thursday, October 22, 2020 1:06 PM
> To: solr-user@lucene.apache.org <ma...@lucene.apache.org>
> Subject: FW: Vulnerabilities in SOLR 8.6.2
>
> This is my 4th attempt to contact
> Please advise, if there is a build that fixes these vulnerabilities
>
> Lakshmi Narayanan
> Marsh & McLennan Companies
> 121 River Street, Hoboken,NJ-07030
> 201-284-3345
> M: 845-300-3809
> Email: Lakshmi.narayanan@mmc.com <ma...@mmc.com>
>
>
> From: Narayanan, Lakshmi <lakshmi.narayanan@mmc.com <ma...@mmc.com>>
> Sent: Sunday, October 18, 2020 4:01 PM
> To: solr-user@lucene.apache.org <ma...@lucene.apache.org>
> Subject: FW: Vulnerabilities in SOLR 8.6.2
>
> SOLR-User Support team
> Is there anyone who can answer my question or can point to someone who can help
> I have not had any response for the past 3 weeks !?
> Please advise
>
>
> Lakshmi Narayanan
> Marsh & McLennan Companies
> 121 River Street, Hoboken,NJ-07030
> 201-284-3345
> M: 845-300-3809
> Email: Lakshmi.narayanan@mmc.com <ma...@mmc.com>
>
>
> From: Narayanan, Lakshmi <lakshmi.narayanan@mmc.com <ma...@mmc.com>>
> Sent: Sunday, October 04, 2020 2:11 PM
> To: solr-user@lucene.apache.org <ma...@lucene.apache.org>
> Cc: Chattopadhyay, Salil <salil.chattopadhyay@mmc.com <ma...@mmc.com>>; Mutnuri, Vishnu D <vishnu.d.mutnuri@mmc.com <ma...@mmc.com>>; Pathak, Omkar <omkar.pathak@mmc.com <ma...@mmc.com>>; Shenouda, Nasir B <nasir.b.shenouda@mmc.com <ma...@mmc.com>>
> Subject: RE: Vulnerabilities in SOLR 8.6.2
>
> Hello Solr-User Support team
> Please advise or provide further guidance on the request below
>
> Thank you!
>
> Lakshmi Narayanan
> Marsh & McLennan Companies
> 121 River Street, Hoboken,NJ-07030
> 201-284-3345
> M: 845-300-3809
> Email: Lakshmi.narayanan@mmc.com <ma...@mmc.com>
>
>
> From: Narayanan, Lakshmi <lakshmi.narayanan@mmc.com <ma...@mmc.com>>
> Sent: Monday, September 28, 2020 1:52 PM
> To: solr-user@lucene.apache.org <ma...@lucene.apache.org>
> Cc: Chattopadhyay, Salil <salil.chattopadhyay@mmc.com <ma...@mmc.com>>; Mutnuri, Vishnu D <vishnu.d.mutnuri@mmc.com <ma...@mmc.com>>; Pathak, Omkar <omkar.pathak@mmc.com <ma...@mmc.com>>; Shenouda, Nasir B <nasir.b.shenouda@mmc.com <ma...@mmc.com>>
> Subject: Vulnerabilities in SOLR 8.6.2
> Importance: High
>
> Hello Solr-User Support team
> We have installed the SOLR 8.6.2 package into docker container in our DEV environment. Prior to using it, our security team scanned the docker image using SysDig and found a lot of Critical/High/Medium vulnerabilities. The full list is in the attached spreadsheet
>
> Scan Summary
> 30 STOPS 190 WARNS 188 Vulnerabilities
>
> Please advise or point us to how/where to get a package that has been patched for the Critical/High/Medium vulnerabilities in the attached spreadsheet
> Your help will be gratefully received
>
>
> Lakshmi Narayanan
> Marsh & McLennan Companies
> 121 River Street, Hoboken,NJ-07030
> 201-284-3345
> M: 845-300-3809
> Email: Lakshmi.narayanan@mmc.com <ma...@mmc.com>
>
>
>
>
>
> **********************************************************************
> This e-mail, including any attachments that accompany it, may contain
> information that is confidential or privileged. This e-mail is
> intended solely for the use of the individual(s) to whom it was intended to be
> addressed. If you have received this e-mail and are not an intended recipient,
> any disclosure, distribution, copying or other use or
> retention of this email or information contained within it are prohibited.
> If you have received this email in error, please immediately
> reply to the sender via e-mail and also permanently
> delete all copies of the original message together with any of its attachments
> from your computer or device.
> **********************************************************************
> <SOLR862 Vulnerabilities.xlsx>
FW: Vulnerabilities in SOLR 8.6.2
Posted by "Narayanan, Lakshmi" <la...@mmc.com.INVALID>.
Can anyone please advise?
Who else should be notified to get some guidance on this please??
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
From: Narayanan, Lakshmi <la...@mmc.com>
Sent: Friday, November 13, 2020 11:21 AM
To: solr-user@lucene.apache.org
Subject: FW: Vulnerabilities in SOLR 8.6.2
This is my 5th attempt in the last 60 days
Is there anyone looking at these mails?
Does anyone care?? :(
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
From: Narayanan, Lakshmi <la...@mmc.com>>
Sent: Thursday, October 22, 2020 1:06 PM
To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
Subject: FW: Vulnerabilities in SOLR 8.6.2
This is my 4th attempt to contact
Please advise, if there is a build that fixes these vulnerabilities
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
From: Narayanan, Lakshmi <la...@mmc.com>>
Sent: Sunday, October 18, 2020 4:01 PM
To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
Subject: FW: Vulnerabilities in SOLR 8.6.2
SOLR-User Support team
Is there anyone who can answer my question or can point to someone who can help
I have not had any response for the past 3 weeks !?
Please advise
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
From: Narayanan, Lakshmi <la...@mmc.com>>
Sent: Sunday, October 04, 2020 2:11 PM
To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
Cc: Chattopadhyay, Salil <sa...@mmc.com>>; Mutnuri, Vishnu D <vi...@mmc.com>>; Pathak, Omkar <om...@mmc.com>>; Shenouda, Nasir B <na...@mmc.com>>
Subject: RE: Vulnerabilities in SOLR 8.6.2
Hello Solr-User Support team
Please advise or provide further guidance on the request below
Thank you!
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
From: Narayanan, Lakshmi <la...@mmc.com>>
Sent: Monday, September 28, 2020 1:52 PM
To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
Cc: Chattopadhyay, Salil <sa...@mmc.com>>; Mutnuri, Vishnu D <vi...@mmc.com>>; Pathak, Omkar <om...@mmc.com>>; Shenouda, Nasir B <na...@mmc.com>>
Subject: Vulnerabilities in SOLR 8.6.2
Importance: High
Hello Solr-User Support team
We have installed the SOLR 8.6.2 package into docker container in our DEV environment. Prior to using it, our security team scanned the docker image using SysDig and found a lot of Critical/High/Medium vulnerabilities. The full list is in the attached spreadsheet
Scan Summary
30 STOPS 190 WARNS 188 Vulnerabilities
Please advise or point us to how/where to get a package that has been patched for the Critical/High/Medium vulnerabilities in the attached spreadsheet
Your help will be gratefully received
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
________________________________
**********************************************************************
This e-mail, including any attachments that accompany it, may contain
information that is confidential or privileged. This e-mail is
intended solely for the use of the individual(s) to whom it was intended to be
addressed. If you have received this e-mail and are not an intended recipient,
any disclosure, distribution, copying or other use or
retention of this email or information contained within it are prohibited.
If you have received this email in error, please immediately
reply to the sender via e-mail and also permanently
delete all copies of the original message together with any of its attachments
from your computer or device.
**********************************************************************
Re: FW: Vulnerabilities in SOLR 8.6.2
Posted by Kevin Risden <kr...@apache.org>.
As far as I can tell only your first and 5th emails went through. Either
way, Cassandra responded on 20200929 - ~15 hrs after your first message:
http://mail-archives.apache.org/mod_mbox/lucene-solr-user/202009.mbox/%3Cbe447e96-60ed-4a40-88dd-9e0c28be6c71%40Spark%3E
Kevin Risden
On Fri, Nov 13, 2020 at 11:35 AM Narayanan, Lakshmi
<la...@mmc.com.invalid> wrote:
> This is my 5th attempt in the last 60 days
>
> Is there anyone looking at these mails?
>
> Does anyone care?? L
>
>
>
>
>
> Lakshmi Narayanan
>
> Marsh & McLennan Companies
>
> 121 River Street, Hoboken,NJ-07030
>
> 201-284-3345
>
> M: 845-300-3809
>
> Email: Lakshmi.narayanan@mmc.com
>
>
>
>
>
> *From:* Narayanan, Lakshmi <la...@mmc.com>
> *Sent:* Thursday, October 22, 2020 1:06 PM
> *To:* solr-user@lucene.apache.org
> *Subject:* FW: Vulnerabilities in SOLR 8.6.2
>
>
>
> This is my 4th attempt to contact
>
> Please advise, if there is a build that fixes these vulnerabilities
>
>
>
> Lakshmi Narayanan
>
> Marsh & McLennan Companies
>
> 121 River Street, Hoboken,NJ-07030
>
> 201-284-3345
>
> M: 845-300-3809
>
> Email: Lakshmi.narayanan@mmc.com
>
>
>
>
>
> *From:* Narayanan, Lakshmi <la...@mmc.com>
> *Sent:* Sunday, October 18, 2020 4:01 PM
> *To:* solr-user@lucene.apache.org
> *Subject:* FW: Vulnerabilities in SOLR 8.6.2
>
>
>
> SOLR-User Support team
>
> Is there anyone who can answer my question or can point to someone who can
> help
>
> I have not had any response for the past 3 weeks !?
>
> Please advise
>
>
>
>
>
> Lakshmi Narayanan
>
> Marsh & McLennan Companies
>
> 121 River Street, Hoboken,NJ-07030
>
> 201-284-3345
>
> M: 845-300-3809
>
> Email: Lakshmi.narayanan@mmc.com
>
>
>
>
>
> *From:* Narayanan, Lakshmi <la...@mmc.com>
> *Sent:* Sunday, October 04, 2020 2:11 PM
> *To:* solr-user@lucene.apache.org
> *Cc:* Chattopadhyay, Salil <sa...@mmc.com>; Mutnuri, Vishnu
> D <vi...@mmc.com>; Pathak, Omkar <om...@mmc.com>;
> Shenouda, Nasir B <na...@mmc.com>
> *Subject:* RE: Vulnerabilities in SOLR 8.6.2
>
>
>
> Hello Solr-User Support team
>
> Please advise or provide further guidance on the request below
>
>
>
> Thank you!
>
>
>
> Lakshmi Narayanan
>
> Marsh & McLennan Companies
>
> 121 River Street, Hoboken,NJ-07030
>
> 201-284-3345
>
> M: 845-300-3809
>
> Email: Lakshmi.narayanan@mmc.com
>
>
>
>
>
> *From:* Narayanan, Lakshmi <la...@mmc.com>
> *Sent:* Monday, September 28, 2020 1:52 PM
> *To:* solr-user@lucene.apache.org
> *Cc:* Chattopadhyay, Salil <sa...@mmc.com>; Mutnuri, Vishnu
> D <vi...@mmc.com>; Pathak, Omkar <om...@mmc.com>;
> Shenouda, Nasir B <na...@mmc.com>
> *Subject:* Vulnerabilities in SOLR 8.6.2
> *Importance:* High
>
>
>
> Hello Solr-User Support team
>
> We have installed the SOLR 8.6.2 package into docker container in our DEV
> environment. Prior to using it, our security team scanned the docker image
> using SysDig and found a lot of Critical/High/Medium vulnerabilities. The
> full list is in the attached spreadsheet
>
>
>
> Scan Summary
>
> *30* *STOPS **190* *WARNS **188* *Vulnerabilities*
>
>
>
> Please advise or point us to how/where to get a package that has been
> patched for the Critical/High/Medium vulnerabilities in the attached
> spreadsheet
>
> Your help will be gratefully received
>
>
>
>
>
> Lakshmi Narayanan
>
> Marsh & McLennan Companies
>
> 121 River Street, Hoboken,NJ-07030
>
> 201-284-3345
>
> M: 845-300-3809
>
> Email: Lakshmi.narayanan@mmc.com
>
>
>
>
>
> ------------------------------
>
>
> **********************************************************************
> This e-mail, including any attachments that accompany it, may contain
> information that is confidential or privileged. This e-mail is
> intended solely for the use of the individual(s) to whom it was intended
> to be
> addressed. If you have received this e-mail and are not an intended
> recipient,
> any disclosure, distribution, copying or other use or
> retention of this email or information contained within it are prohibited.
> If you have received this email in error, please immediately
> reply to the sender via e-mail and also permanently
> delete all copies of the original message together with any of its
> attachments
> from your computer or device.
> **********************************************************************
>
FW: Vulnerabilities in SOLR 8.6.2
Posted by "Narayanan, Lakshmi" <la...@mmc.com.INVALID>.
This is my 5th attempt in the last 60 days
Is there anyone looking at these mails?
Does anyone care?? :(
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
From: Narayanan, Lakshmi <la...@mmc.com>
Sent: Thursday, October 22, 2020 1:06 PM
To: solr-user@lucene.apache.org
Subject: FW: Vulnerabilities in SOLR 8.6.2
This is my 4th attempt to contact
Please advise, if there is a build that fixes these vulnerabilities
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
From: Narayanan, Lakshmi <la...@mmc.com>>
Sent: Sunday, October 18, 2020 4:01 PM
To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
Subject: FW: Vulnerabilities in SOLR 8.6.2
SOLR-User Support team
Is there anyone who can answer my question or can point to someone who can help
I have not had any response for the past 3 weeks !?
Please advise
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
From: Narayanan, Lakshmi <la...@mmc.com>>
Sent: Sunday, October 04, 2020 2:11 PM
To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
Cc: Chattopadhyay, Salil <sa...@mmc.com>>; Mutnuri, Vishnu D <vi...@mmc.com>>; Pathak, Omkar <om...@mmc.com>>; Shenouda, Nasir B <na...@mmc.com>>
Subject: RE: Vulnerabilities in SOLR 8.6.2
Hello Solr-User Support team
Please advise or provide further guidance on the request below
Thank you!
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
From: Narayanan, Lakshmi <la...@mmc.com>>
Sent: Monday, September 28, 2020 1:52 PM
To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
Cc: Chattopadhyay, Salil <sa...@mmc.com>>; Mutnuri, Vishnu D <vi...@mmc.com>>; Pathak, Omkar <om...@mmc.com>>; Shenouda, Nasir B <na...@mmc.com>>
Subject: Vulnerabilities in SOLR 8.6.2
Importance: High
Hello Solr-User Support team
We have installed the SOLR 8.6.2 package into docker container in our DEV environment. Prior to using it, our security team scanned the docker image using SysDig and found a lot of Critical/High/Medium vulnerabilities. The full list is in the attached spreadsheet
Scan Summary
30 STOPS 190 WARNS 188 Vulnerabilities
Please advise or point us to how/where to get a package that has been patched for the Critical/High/Medium vulnerabilities in the attached spreadsheet
Your help will be gratefully received
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
________________________________
**********************************************************************
This e-mail, including any attachments that accompany it, may contain
information that is confidential or privileged. This e-mail is
intended solely for the use of the individual(s) to whom it was intended to be
addressed. If you have received this e-mail and are not an intended recipient,
any disclosure, distribution, copying or other use or
retention of this email or information contained within it are prohibited.
If you have received this email in error, please immediately
reply to the sender via e-mail and also permanently
delete all copies of the original message together with any of its attachments
from your computer or device.
**********************************************************************