You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by "Jan Høydahl (Jira)" <ji...@apache.org> on 2022/11/03 12:13:00 UTC
[jira] [Resolved] (SOLR-15855) CVEs in shadowed dependencies
[ https://issues.apache.org/jira/browse/SOLR-15855?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jan Høydahl resolved SOLR-15855.
--------------------------------
Resolution: Implemented
> CVEs in shadowed dependencies
> -----------------------------
>
> Key: SOLR-15855
> URL: https://issues.apache.org/jira/browse/SOLR-15855
> Project: Solr
> Issue Type: Bug
> Affects Versions: 8.11.1
> Reporter: Chris Adams
> Priority: Major
>
> Our Solr deployments had a number of CVEs flagged due to shadowed dependencies in some non-core components:
> * htrace-core4 pulls in jackson-databind, and hasn't been updated in many years since the project shut down around 2016. This leaves around 50 critical CVEs — although it's not clear whether any of these are actually exploitable in the Solr configuration it will generate a lot of noise for Solr users in security-conscious environments.
> This doesn't appear to be a hard dependency for Solr in normal use but I see that the HBase project has a plan to replace it with a shim: https://issues.apache.org/jira/browse/HBASE-24802
> * The test framework pulls in junit4-ant which has an old simple-xml vulnerable to [CVE-2017-1000190|https://nvd.nist.gov/vuln/detail/CVE-2017-1000190]: /opt/solr-8.11.1/dist/test-framework/lib/junit4-ant-2.7.2.jar
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org