You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by "Cassandra Targett (Jira)" <ji...@apache.org> on 2021/08/13 16:32:00 UTC
[jira] [Commented] (SOLR-15529) High security vulnerability in JDOM
library bundled within Solr 8.9 CVE-2021-33813
[ https://issues.apache.org/jira/browse/SOLR-15529?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17398768#comment-17398768 ]
Cassandra Targett commented on SOLR-15529:
------------------------------------------
CVE info link: https://nvd.nist.gov/vuln/detail/CVE-2021-33813
There is no JDOM release that yet contains the fix for this vulnerability, so nothing can be done with this yet. See https://github.com/hunterhacker/jdom/pull/188.
However, JDOM is only included in the Solr Cell contrib, which is not recommended for production use. That makes it difficult to exploit - Solr Cell shouldn't be enabled in any system that's public enough to get a DOS attack.
Additionally, Solr Cell uses Tika, which is why I think we have this dependency, and Tika has analyzed its vulnerability to it and determined that it's limited to two libraries: https://issues.apache.org/jira/browse/TIKA-3488
My point of view on this is that it's unexploitable in Solr and we should add it to the list of CVEs that can be safely ignored at https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools. Maybe [~tallison], you could weigh in?
> High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813
> ----------------------------------------------------------------------------------
>
> Key: SOLR-15529
> URL: https://issues.apache.org/jira/browse/SOLR-15529
> Project: Solr
> Issue Type: Bug
> Affects Versions: 8.9
> Reporter: WCM RnD
> Priority: Critical
>
> High security vulnerability has been reported in the JDOM library bundled within SOLR 8.9:
> CVE-2021-33813
> *Affected Component(s):* JDOM
> *Vulnerability Published:* 2021-06-16 08:15 EDT
> *Vulnerability Updated:* 2021-06-21 18:21 EDT
> *CVSS Score:* {color:#FF0000}7.5{color} (overall), {color:#FF0000}7.5{color} (base)
> *Summary*: An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org