You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@solr.apache.org by "Jan Høydahl (Jira)" <ji...@apache.org> on 2021/12/15 08:22:00 UTC

[jira] [Commented] (SOLR-15850) Fix SOLR-Versions to CVE-2021-44228

    [ https://issues.apache.org/jira/browse/SOLR-15850?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459726#comment-17459726 ] 

Jan Høydahl commented on SOLR-15850:
------------------------------------

If you are on v7.5, you can get a patched Docker image by pulling 7.7 instead. Only the latest 7.x, 6.x, 5.x versions are supported, as can be seen on [https://hub.docker.com/_/solr] under the "Supported tags" section. Version 7.7 is index- and API compatible with 7.5 and no features are removed, even if some features are added. So this should normally be a drop-in replacement, i.e. just change the tag and restart container.

I filed [https://github.com/apache/solr-site/pull/57] to clarify this in our security advisory.

> Fix SOLR-Versions to CVE-2021-44228
> -----------------------------------
>
>                 Key: SOLR-15850
>                 URL: https://issues.apache.org/jira/browse/SOLR-15850
>             Project: Solr
>          Issue Type: Task
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: 7.5
>            Reporter: IIS
>            Assignee: Jan Høydahl
>            Priority: Critical
>
> As we are faced with critical [CVE-2021-44228|https://github.com/advisories/GHSA-jfh8-c2jp-5v3q] (log4shell) these days, we still await security patches to fix log4j vulnerabilities published on December 12th, 2021.
>  
> In our  case we're running Apache SOLR via Docker, where some image versions have been patched very quickly, but still some image versions float around in the official Docker Hub without having recieved the critical security patches.
>  
> e.g. v7.5.0:
> [https://hub.docker.com/layers/solr/library/solr/7.5.0/images/sha256-e3db40fa85e7115d2d1d3eb06f7555b6132e33bd3b6e91b17c0a1690122a7acc?context=explore]
>  
> When will these versions be updated in the Docker Repository to prevent users from being vulnerable with specific SOLR installations running?



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org