Does CVE-2022-46364 affect Solr 7.3.1

[Wesley Philip <we...@hcl.com.INVALID>]

Hello,

Mend security scan has flagged cxf-core-3.4.3.jar with  CVE-2022-46364.  I believe this jar is pulled in as a dependency of Solr 7.3.1.  I'm wondering if Solr is truly vulnerable to this issue.

Thanks,

Wesley
::DISCLAIMER::
________________________________
The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. E-mail transmission is not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses in transmission. The e mail and its contents (with or without referred errors) shall therefore not attach any liability on the originator or HCL or its affiliates. Views or opinions, if any, presented in this email are solely those of the author and may not necessarily reflect the views or opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of authorized representative of HCL is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before opening any email and/or attachments, please check them for viruses and other defects.
________________________________

Re: Does CVE-2022-46364 affect Solr 7.3.1

[Shawn Heisey <ap...@elyograg.org>]

On 1/11/23 09:44, Wesley Philip wrote:
> Hello,
> 
> Mend security scan has flagged cxf-core-3.4.3.jar with  CVE-2022-46364.  I believe this jar is pulled in as a dependency of Solr 7.3.1.  I'm wondering if Solr is truly vulnerable to this issue.

I don't see any file with "cxf" in its name (checked for it case 
insensitive) either in Solr 7.3.1 or Solr built from branch_9x.

I have never heard of CXF before.  I am reasonably certain that Solr 
does not include it.  Where did you hear that Solr uses it?

Thanks,
Shawn