You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@solr.apache.org by Richard Li <ri...@blueconic.com> on 2022/09/29 08:49:21 UTC
Hadoop vulnerability in Solr 8.11.2 from scan
Hi,
Our vulnerability scanning tool found a vulnerability from Hadoop in Solr 8.11.2. More specifically, it is introduced through org.apache.solr:solr-core@8.11.2 › org.apache.hadoop:hadoop-common@3.2.2. The published vulnerability is listed as CVE-2022-25168: https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130
This vulnerability is not listed on Solr Security News, but also not under the false positives on the SolrSecurity Confluence page.
We were wondering if this is a real vulnerability for Solr and if in particular Solr 8.11.2 is affected by this vulnerability?
Thanks in advance.
Kind regards,
Richard
Re: Hadoop vulnerability in Solr 8.11.2 from scan
Posted by Kevin Risden <kr...@apache.org>.
Solr shouldn't be affected by CVE-2022-25168 based on the CVE description
here [1]. Solr is only a HDFS client when used in production code. The
Hadoop CVE in question won't be used by Solr code when interacting w/ HDFS
as a client.
[1] https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130
Kevin Risden
On Tue, Oct 4, 2022 at 7:03 AM Markus Jelsma <ma...@openindex.io>
wrote:
> Hello,
>
> Some customers that run security scans have seen issues with the 3.2.2
> dependency as well, and asked to solve it. You can do several things:
> * not use Solr on HDFS, or Hadoop features, and ignore it
> * the same as above but delete the affected JARs
> * replace the JARs with their 3.3.3 or 3.3.4 counterparts
>
> If your don't store your index on HDFS, i would just ignore it, if your IT
> department allows you to.
>
> Regards,
> Markus
>
> Op do 29 sep. 2022 om 18:48 schreef Richard Li <ri...@blueconic.com>:
>
> > Hi,
> >
> > Our vulnerability scanning tool found a vulnerability from Hadoop in Solr
> > 8.11.2. More specifically, it is introduced through
> > org.apache.solr:solr-core@8.11.2 ›
> org.apache.hadoop:hadoop-common@3.2.2.
> > The published vulnerability is listed as CVE-2022-25168:
> > https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130
> >
> > This vulnerability is not listed on Solr Security News, but also not
> under
> > the false positives on the SolrSecurity Confluence page.
> >
> > We were wondering if this is a real vulnerability for Solr and if in
> > particular Solr 8.11.2 is affected by this vulnerability?
> >
> > Thanks in advance.
> >
> > Kind regards,
> >
> > Richard
> >
>
Re: Hadoop vulnerability in Solr 8.11.2 from scan
Posted by Markus Jelsma <ma...@openindex.io>.
Hello,
Some customers that run security scans have seen issues with the 3.2.2
dependency as well, and asked to solve it. You can do several things:
* not use Solr on HDFS, or Hadoop features, and ignore it
* the same as above but delete the affected JARs
* replace the JARs with their 3.3.3 or 3.3.4 counterparts
If your don't store your index on HDFS, i would just ignore it, if your IT
department allows you to.
Regards,
Markus
Op do 29 sep. 2022 om 18:48 schreef Richard Li <ri...@blueconic.com>:
> Hi,
>
> Our vulnerability scanning tool found a vulnerability from Hadoop in Solr
> 8.11.2. More specifically, it is introduced through
> org.apache.solr:solr-core@8.11.2 › org.apache.hadoop:hadoop-common@3.2.2.
> The published vulnerability is listed as CVE-2022-25168:
> https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130
>
> This vulnerability is not listed on Solr Security News, but also not under
> the false positives on the SolrSecurity Confluence page.
>
> We were wondering if this is a real vulnerability for Solr and if in
> particular Solr 8.11.2 is affected by this vulnerability?
>
> Thanks in advance.
>
> Kind regards,
>
> Richard
>