You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@solr.apache.org by "Narayanan, Lakshmi" <la...@mmc.com.INVALID> on 2021/06/07 20:28:11 UTC
RE: Vulnerabilities in SOLR 8.8.2
Sending to users@solr.apache.org
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
From: Narayanan, Lakshmi <la...@mmc.com>
Sent: Monday, June 07, 2021 3:28 PM
To: solr-user@lucene.apache.org
Subject: Vulnerabilities in SOLR 8.8.2
Hello SOLR-User Support team
Please advise if there is resolution to the vulnerabilities listed below in SOLR 8.8.2
This is preventing us from using the SOLR product
I have tried to contact this mailgroup fro support before;
Please advise if there is another mailgroup I can reach for SOLR Support?
Thank you
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
Vulnerability
Severity
Package
Package Version
Package Type
Package Path
URL
Fix
Stop
Grace Period Stop
Known Warn
VULNDB-180024
High
derby
10.9.1.0
java
/opt/solr-8.8.2/example/example-DIH/solr/db/lib/derby-10.9.1.0.jar
https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-180024
10.14.2.0
True
False
False
VULNDB-247944
High
hadoop
3.2.0
java
/opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-annotations-3.2.0.jar
https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-247944
2.10.1, 3.1.4, 3.2.2, 3.3.0
True
False
False
VULNDB-247944
High
hadoop
3.2.0
java
/opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-auth-3.2.0.jar
https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-247944
2.10.1, 3.1.4, 3.2.2, 3.3.0
True
False
False
VULNDB-247944
High
hadoop
3.2.0
java
/opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-common-3.2.0.jar
https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-247944
2.10.1, 3.1.4, 3.2.2, 3.3.0
True
False
False
VULNDB-247944
High
hadoop
3.2.0
java
/opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-hdfs-client-3.2.0.jar
https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-247944
2.10.1, 3.1.4, 3.2.2, 3.3.0
True
False
False
VULNDB-223108
High
jackson-databind
2.4.0
java
/opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/htrace-core4-4.1.0-incubating.jar:jackson-databind
https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-223108
2.8.11.5, 2.9.10.3
True
False
False
VULNDB-214563
High
jackson-databind
2.4.0
java
/opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/htrace-core4-4.1.0-incubating.jar:jackson-databind
https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-214563
2.10.0, 2.9.10.1
True
False
False
From: Narayanan, Lakshmi <la...@mmc.com>>
Sent: Friday, December 11, 2020 11:50 AM
To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
Subject: FW: Vulnerabilities in SOLR 8.6.2
Can anyone please advise?
Who else should be notified to get some guidance on this please??
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
From: Narayanan, Lakshmi <la...@mmc.com>>
Sent: Friday, November 13, 2020 11:21 AM
To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
Subject: FW: Vulnerabilities in SOLR 8.6.2
This is my 5th attempt in the last 60 days
Is there anyone looking at these mails?
Does anyone care?? :(
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
From: Narayanan, Lakshmi <la...@mmc.com>>
Sent: Thursday, October 22, 2020 1:06 PM
To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
Subject: FW: Vulnerabilities in SOLR 8.6.2
This is my 4th attempt to contact
Please advise, if there is a build that fixes these vulnerabilities
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
From: Narayanan, Lakshmi <la...@mmc.com>>
Sent: Sunday, October 18, 2020 4:01 PM
To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
Subject: FW: Vulnerabilities in SOLR 8.6.2
SOLR-User Support team
Is there anyone who can answer my question or can point to someone who can help
I have not had any response for the past 3 weeks !?
Please advise
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
From: Narayanan, Lakshmi <la...@mmc.com>>
Sent: Sunday, October 04, 2020 2:11 PM
To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
Cc: Chattopadhyay, Salil <sa...@mmc.com>>; Mutnuri, Vishnu D <vi...@mmc.com>>; Pathak, Omkar <om...@mmc.com>>; Shenouda, Nasir B <na...@mmc.com>>
Subject: RE: Vulnerabilities in SOLR 8.6.2
Hello Solr-User Support team
Please advise or provide further guidance on the request below
Thank you!
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
From: Narayanan, Lakshmi <la...@mmc.com>>
Sent: Monday, September 28, 2020 1:52 PM
To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
Cc: Chattopadhyay, Salil <sa...@mmc.com>>; Mutnuri, Vishnu D <vi...@mmc.com>>; Pathak, Omkar <om...@mmc.com>>; Shenouda, Nasir B <na...@mmc.com>>
Subject: Vulnerabilities in SOLR 8.6.2
Importance: High
Hello Solr-User Support team
We have installed the SOLR 8.6.2 package into docker container in our DEV environment. Prior to using it, our security team scanned the docker image using SysDig and found a lot of Critical/High/Medium vulnerabilities. The full list is in the attached spreadsheet
Scan Summary
30 STOPS 190 WARNS 188 Vulnerabilities
Please advise or point us to how/where to get a package that has been patched for the Critical/High/Medium vulnerabilities in the attached spreadsheet
Your help will be gratefully received
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
________________________________
**********************************************************************
This e-mail, including any attachments that accompany it, may contain
information that is confidential or privileged. This e-mail is
intended solely for the use of the individual(s) to whom it was intended to be
addressed. If you have received this e-mail and are not an intended recipient,
any disclosure, distribution, copying or other use or
retention of this email or information contained within it are prohibited.
If you have received this email in error, please immediately
reply to the sender via e-mail and also permanently
delete all copies of the original message together with any of its attachments
from your computer or device.
**********************************************************************
Re: Vulnerabilities in SOLR 8.8.2
Posted by Dave <ha...@gmail.com>.
When implemented correctly solr has no vulnerabilities. In other words, it will never have a public facing address to even attack, it’s only accessed through your application on a private network
> On Jun 7, 2021, at 4:51 PM, Narayanan, Lakshmi <la...@mmc.com.invalid> wrote:
>
> Sending to users@solr.apache.org
>
> Lakshmi Narayanan
> Marsh & McLennan Companies
> 121 River Street, Hoboken,NJ-07030
> 201-284-3345
> M: 845-300-3809
> Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
>
> From: Narayanan, Lakshmi <la...@mmc.com>
> Sent: Monday, June 07, 2021 3:28 PM
> To: solr-user@lucene.apache.org
> Subject: Vulnerabilities in SOLR 8.8.2
>
> Hello SOLR-User Support team
> Please advise if there is resolution to the vulnerabilities listed below in SOLR 8.8.2
> This is preventing us from using the SOLR product
>
> I have tried to contact this mailgroup fro support before;
> Please advise if there is another mailgroup I can reach for SOLR Support?
>
> Thank you
>
> Lakshmi Narayanan
> Marsh & McLennan Companies
> 121 River Street, Hoboken,NJ-07030
> 201-284-3345
> M: 845-300-3809
> Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
>
> Vulnerability
>
> Severity
>
> Package
>
> Package Version
>
> Package Type
>
> Package Path
>
> URL
>
> Fix
>
> Stop
>
> Grace Period Stop
>
> Known Warn
>
> VULNDB-180024
>
> High
>
> derby
>
> 10.9.1.0
>
> java
>
> /opt/solr-8.8.2/example/example-DIH/solr/db/lib/derby-10.9.1.0.jar
>
> https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-180024
>
> 10.14.2.0
>
> True
>
> False
>
> False
>
> VULNDB-247944
>
> High
>
> hadoop
>
> 3.2.0
>
> java
>
> /opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-annotations-3.2.0.jar
>
> https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-247944
>
> 2.10.1, 3.1.4, 3.2.2, 3.3.0
>
> True
>
> False
>
> False
>
> VULNDB-247944
>
> High
>
> hadoop
>
> 3.2.0
>
> java
>
> /opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-auth-3.2.0.jar
>
> https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-247944
>
> 2.10.1, 3.1.4, 3.2.2, 3.3.0
>
> True
>
> False
>
> False
>
> VULNDB-247944
>
> High
>
> hadoop
>
> 3.2.0
>
> java
>
> /opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-common-3.2.0.jar
>
> https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-247944
>
> 2.10.1, 3.1.4, 3.2.2, 3.3.0
>
> True
>
> False
>
> False
>
> VULNDB-247944
>
> High
>
> hadoop
>
> 3.2.0
>
> java
>
> /opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-hdfs-client-3.2.0.jar
>
> https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-247944
>
> 2.10.1, 3.1.4, 3.2.2, 3.3.0
>
> True
>
> False
>
> False
>
> VULNDB-223108
>
> High
>
> jackson-databind
>
> 2.4.0
>
> java
>
> /opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/htrace-core4-4.1.0-incubating.jar:jackson-databind
>
> https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-223108
>
> 2.8.11.5, 2.9.10.3
>
> True
>
> False
>
> False
>
> VULNDB-214563
>
> High
>
> jackson-databind
>
> 2.4.0
>
> java
>
> /opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/htrace-core4-4.1.0-incubating.jar:jackson-databind
>
> https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-214563
>
> 2.10.0, 2.9.10.1
>
> True
>
> False
>
> False
>
>
>
>
>
> From: Narayanan, Lakshmi <la...@mmc.com>>
> Sent: Friday, December 11, 2020 11:50 AM
> To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
> Subject: FW: Vulnerabilities in SOLR 8.6.2
>
> Can anyone please advise?
> Who else should be notified to get some guidance on this please??
>
> Lakshmi Narayanan
> Marsh & McLennan Companies
> 121 River Street, Hoboken,NJ-07030
> 201-284-3345
> M: 845-300-3809
> Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
>
>
> From: Narayanan, Lakshmi <la...@mmc.com>>
> Sent: Friday, November 13, 2020 11:21 AM
> To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
> Subject: FW: Vulnerabilities in SOLR 8.6.2
>
> This is my 5th attempt in the last 60 days
> Is there anyone looking at these mails?
> Does anyone care?? :(
>
>
> Lakshmi Narayanan
> Marsh & McLennan Companies
> 121 River Street, Hoboken,NJ-07030
> 201-284-3345
> M: 845-300-3809
> Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
>
>
> From: Narayanan, Lakshmi <la...@mmc.com>>
> Sent: Thursday, October 22, 2020 1:06 PM
> To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
> Subject: FW: Vulnerabilities in SOLR 8.6.2
>
> This is my 4th attempt to contact
> Please advise, if there is a build that fixes these vulnerabilities
>
> Lakshmi Narayanan
> Marsh & McLennan Companies
> 121 River Street, Hoboken,NJ-07030
> 201-284-3345
> M: 845-300-3809
> Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
>
>
> From: Narayanan, Lakshmi <la...@mmc.com>>
> Sent: Sunday, October 18, 2020 4:01 PM
> To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
> Subject: FW: Vulnerabilities in SOLR 8.6.2
>
> SOLR-User Support team
> Is there anyone who can answer my question or can point to someone who can help
> I have not had any response for the past 3 weeks !?
> Please advise
>
>
> Lakshmi Narayanan
> Marsh & McLennan Companies
> 121 River Street, Hoboken,NJ-07030
> 201-284-3345
> M: 845-300-3809
> Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
>
>
> From: Narayanan, Lakshmi <la...@mmc.com>>
> Sent: Sunday, October 04, 2020 2:11 PM
> To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
> Cc: Chattopadhyay, Salil <sa...@mmc.com>>; Mutnuri, Vishnu D <vi...@mmc.com>>; Pathak, Omkar <om...@mmc.com>>; Shenouda, Nasir B <na...@mmc.com>>
> Subject: RE: Vulnerabilities in SOLR 8.6.2
>
> Hello Solr-User Support team
> Please advise or provide further guidance on the request below
>
> Thank you!
>
> Lakshmi Narayanan
> Marsh & McLennan Companies
> 121 River Street, Hoboken,NJ-07030
> 201-284-3345
> M: 845-300-3809
> Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
>
>
> From: Narayanan, Lakshmi <la...@mmc.com>>
> Sent: Monday, September 28, 2020 1:52 PM
> To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
> Cc: Chattopadhyay, Salil <sa...@mmc.com>>; Mutnuri, Vishnu D <vi...@mmc.com>>; Pathak, Omkar <om...@mmc.com>>; Shenouda, Nasir B <na...@mmc.com>>
> Subject: Vulnerabilities in SOLR 8.6.2
> Importance: High
>
> Hello Solr-User Support team
> We have installed the SOLR 8.6.2 package into docker container in our DEV environment. Prior to using it, our security team scanned the docker image using SysDig and found a lot of Critical/High/Medium vulnerabilities. The full list is in the attached spreadsheet
>
> Scan Summary
> 30 STOPS 190 WARNS 188 Vulnerabilities
>
> Please advise or point us to how/where to get a package that has been patched for the Critical/High/Medium vulnerabilities in the attached spreadsheet
> Your help will be gratefully received
>
>
> Lakshmi Narayanan
> Marsh & McLennan Companies
> 121 River Street, Hoboken,NJ-07030
> 201-284-3345
> M: 845-300-3809
> Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
>
>
>
> ________________________________
>
>
> **********************************************************************
> This e-mail, including any attachments that accompany it, may contain
> information that is confidential or privileged. This e-mail is
> intended solely for the use of the individual(s) to whom it was intended to be
> addressed. If you have received this e-mail and are not an intended recipient,
> any disclosure, distribution, copying or other use or
> retention of this email or information contained within it are prohibited.
> If you have received this email in error, please immediately
> reply to the sender via e-mail and also permanently
> delete all copies of the original message together with any of its attachments
> from your computer or device.
> **********************************************************************
Re: Vulnerabilities in SOLR 8.8.2
Posted by dmitri maziuk <dm...@gmail.com>.
On 2021-09-06 2:26 PM, Cassandra Targett wrote:
> We have replied to this person’s “monthly reminders” multiple times but they are apparently not subscribed to the list, so they do not see them. It’s almost becoming a troll at this point, to repeatedly attempt to shame a community for not answering but not bothering to join the community to know if they are answering.
The obvious question is why haven't you killfiled this idjit yet.
Dima
Re: Vulnerabilities in SOLR 8.8.2
Posted by Cassandra Targett <ca...@gmail.com>.
We have replied to this person’s “monthly reminders” multiple times but they are apparently not subscribed to the list, so they do not see them. It’s almost becoming a troll at this point, to repeatedly attempt to shame a community for not answering but not bothering to join the community to know if they are answering.
The simple answer is the vast majority of the items on the list are on the wiki page that tracks 3rd party dependencies that are *not* real vulnerabilities in Solr: https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity.
Any questions not addressed by that page should be handled in accordance with the community security policy: https://solr.apache.org/security.html.
On Sep 1, 2021, 10:53 AM -0500, Dave <ha...@gmail.com>, wrote:
> Agreed. Solr should always have a front end to interface with the server itself. I don’t think I’ve ever seen a situation where it was accessible outside of the internal network. Not to mention it gives you an extra layer to add parameters or clean user input. Raw solr is for the developers, that make the interface to the user input
>
> > On Sep 1, 2021, at 11:28 AM, Shawn Heisey <el...@elyograg.org> wrote:
> >
> > On 9/1/2021 8:25 AM, Narayanan, Lakshmi wrote:
> > > This is my monthly reminder to SOLR support groups
> > > Please advise if the below listed vulnerabilities have been resolved in higher versions of SOLR
> > > Any response to this message will be gratefully received
> >
> > The vast majority of any vulnerabilities will be impossible to exploit if you follow one of the most basic security steps: Make sure that Solr is not accessible to the outside world. At the network and/or OS level, make sure that only the IP addresses of people and applications that need Solr are able to access whatever port Solr is listening on.
> >
> > > /opt/solr-8.8.2/example/example-DIH/solr/db/lib/derby-10.9.1.0.jar
> >
> > Whatever the vulnerability is here, it can only be a problem if you actually use the derby database with the dataimport handler.
> >
> > > /opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-annotations-3.2.0.jar
> > > /opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-auth-3.2.0.jar
> > > /opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-common-3.2.0.jar
> > > /opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-hdfs-client-3.2.0.jar
> > > /opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/htrace-core4-4.1.0-incubating.jar:jackson-databind
> > > /opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/htrace-core4-4.1.0-incubating.jar:jackson-databind
> >
> > Are you using the HDFS filesystem support in Solr? If you're not, then these jars are not used and you won't need to worry about it.
> >
> > I'll say the first thing I said again: The vast majority of any vulnerabilities will be impossible to exploit if you follow one of the most basic security steps: Make sure that Solr is not accessible to the outside world. At the network and/or OS level, make sure that only the IP addresses of people and applications that need Solr are able to access whatever port Solr is listening on.
> >
> > If you can't trust your own people, that is an internal security issue for your organization, and the Solr project cannot help with it.
> >
> > Thanks,
> > Shawn
> >
Re: Vulnerabilities in SOLR 8.8.2
Posted by Dave <ha...@gmail.com>.
Agreed. Solr should always have a front end to interface with the server itself. I don’t think I’ve ever seen a situation where it was accessible outside of the internal network. Not to mention it gives you an extra layer to add parameters or clean user input. Raw solr is for the developers, that make the interface to the user input
> On Sep 1, 2021, at 11:28 AM, Shawn Heisey <el...@elyograg.org> wrote:
>
> On 9/1/2021 8:25 AM, Narayanan, Lakshmi wrote:
>> This is my monthly reminder to SOLR support groups
>> Please advise if the below listed vulnerabilities have been resolved in higher versions of SOLR
>> Any response to this message will be gratefully received
>
> The vast majority of any vulnerabilities will be impossible to exploit if you follow one of the most basic security steps: Make sure that Solr is not accessible to the outside world. At the network and/or OS level, make sure that only the IP addresses of people and applications that need Solr are able to access whatever port Solr is listening on.
>
>> /opt/solr-8.8.2/example/example-DIH/solr/db/lib/derby-10.9.1.0.jar
>
> Whatever the vulnerability is here, it can only be a problem if you actually use the derby database with the dataimport handler.
>
>> /opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-annotations-3.2.0.jar
>> /opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-auth-3.2.0.jar
>> /opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-common-3.2.0.jar
>> /opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-hdfs-client-3.2.0.jar
>> /opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/htrace-core4-4.1.0-incubating.jar:jackson-databind
>> /opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/htrace-core4-4.1.0-incubating.jar:jackson-databind
>
> Are you using the HDFS filesystem support in Solr? If you're not, then these jars are not used and you won't need to worry about it.
>
> I'll say the first thing I said again: The vast majority of any vulnerabilities will be impossible to exploit if you follow one of the most basic security steps: Make sure that Solr is not accessible to the outside world. At the network and/or OS level, make sure that only the IP addresses of people and applications that need Solr are able to access whatever port Solr is listening on.
>
> If you can't trust your own people, that is an internal security issue for your organization, and the Solr project cannot help with it.
>
> Thanks,
> Shawn
>
Re: Vulnerabilities in SOLR 8.8.2
Posted by Shawn Heisey <el...@elyograg.org>.
On 9/1/2021 8:25 AM, Narayanan, Lakshmi wrote:
> This is my monthly reminder to SOLR support groups
> Please advise if the below listed vulnerabilities have been resolved in higher versions of SOLR
> Any response to this message will be gratefully received
The vast majority of any vulnerabilities will be impossible to exploit
if you follow one of the most basic security steps: Make sure that Solr
is not accessible to the outside world. At the network and/or OS level,
make sure that only the IP addresses of people and applications that
need Solr are able to access whatever port Solr is listening on.
> /opt/solr-8.8.2/example/example-DIH/solr/db/lib/derby-10.9.1.0.jar
Whatever the vulnerability is here, it can only be a problem if you
actually use the derby database with the dataimport handler.
> /opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-annotations-3.2.0.jar
> /opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-auth-3.2.0.jar
> /opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-common-3.2.0.jar
> /opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-hdfs-client-3.2.0.jar
> /opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/htrace-core4-4.1.0-incubating.jar:jackson-databind
> /opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/htrace-core4-4.1.0-incubating.jar:jackson-databind
Are you using the HDFS filesystem support in Solr? If you're not, then
these jars are not used and you won't need to worry about it.
I'll say the first thing I said again: The vast majority of any
vulnerabilities will be impossible to exploit if you follow one of the
most basic security steps: Make sure that Solr is not accessible to the
outside world. At the network and/or OS level, make sure that only the
IP addresses of people and applications that need Solr are able to
access whatever port Solr is listening on.
If you can't trust your own people, that is an internal security issue
for your organization, and the Solr project cannot help with it.
Thanks,
Shawn
RE: Vulnerabilities in SOLR 8.8.2
Posted by "Narayanan, Lakshmi" <la...@mmc.com.INVALID>.
This is my monthly reminder to SOLR support groups
Please advise if the below listed vulnerabilities have been resolved in higher versions of SOLR
Any response to this message will be gratefully received
Thank you
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
From: Narayanan, Lakshmi <la...@mmc.com>
Sent: Sunday, August 01, 2021 10:12 PM
To: solr-user@lucene.apache.org; users@solr.apache.org
Subject: RE: Vulnerabilities in SOLR 8.8.2
Hello SOLR Support team
This is my monthly check on this subject
Is someone listening out there to help me with my question below please?
Please advise
Thank you
From: Narayanan, Lakshmi <la...@mmc.com>>
Sent: Monday, July 05, 2021 1:27 PM
To: solr-user@lucene.apache.org<ma...@lucene.apache.org>; users@solr.apache.org<ma...@solr.apache.org>
Subject: RE: Vulnerabilities in SOLR 8.8.2
Hello SOLR User Support Team
Please advise, how to address these vulnerabilities in SOLR package
This is preventing us from going live
Please advise, if this needs to be sent to any other teams within SOLR user support
Thank you
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
From: Narayanan, Lakshmi <la...@mmc.com>>
Sent: Monday, June 07, 2021 4:28 PM
To: solr-user@lucene.apache.org<ma...@lucene.apache.org>; users@solr.apache.org<ma...@solr.apache.org>
Subject: RE: Vulnerabilities in SOLR 8.8.2
Sending to users@solr.apache.org<ma...@solr.apache.org>
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
From: Narayanan, Lakshmi <la...@mmc.com>>
Sent: Monday, June 07, 2021 3:28 PM
To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
Subject: Vulnerabilities in SOLR 8.8.2
Hello SOLR-User Support team
Please advise if there is resolution to the vulnerabilities listed below in SOLR 8.8.2
This is preventing us from using the SOLR product
I have tried to contact this mailgroup fro support before;
Please advise if there is another mailgroup I can reach for SOLR Support?
Thank you
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
Vulnerability
Severity
Package
Package Version
Package Type
Package Path
URL
Fix
Stop
Grace Period Stop
Known Warn
VULNDB-180024
High
derby
10.9.1.0
java
/opt/solr-8.8.2/example/example-DIH/solr/db/lib/derby-10.9.1.0.jar
https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-180024
10.14.2.0
True
False
False
VULNDB-247944
High
hadoop
3.2.0
java
/opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-annotations-3.2.0.jar
https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-247944
2.10.1, 3.1.4, 3.2.2, 3.3.0
True
False
False
VULNDB-247944
High
hadoop
3.2.0
java
/opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-auth-3.2.0.jar
https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-247944
2.10.1, 3.1.4, 3.2.2, 3.3.0
True
False
False
VULNDB-247944
High
hadoop
3.2.0
java
/opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-common-3.2.0.jar
https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-247944
2.10.1, 3.1.4, 3.2.2, 3.3.0
True
False
False
VULNDB-247944
High
hadoop
3.2.0
java
/opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-hdfs-client-3.2.0.jar
https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-247944
2.10.1, 3.1.4, 3.2.2, 3.3.0
True
False
False
VULNDB-223108
High
jackson-databind
2.4.0
java
/opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/htrace-core4-4.1.0-incubating.jar:jackson-databind
https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-223108
2.8.11.5, 2.9.10.3
True
False
False
VULNDB-214563
High
jackson-databind
2.4.0
java
/opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/htrace-core4-4.1.0-incubating.jar:jackson-databind
https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-214563
2.10.0, 2.9.10.1
True
False
False
From: Narayanan, Lakshmi <la...@mmc.com>>
Sent: Friday, December 11, 2020 11:50 AM
To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
Subject: FW: Vulnerabilities in SOLR 8.6.2
Can anyone please advise?
Who else should be notified to get some guidance on this please??
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
From: Narayanan, Lakshmi <la...@mmc.com>>
Sent: Friday, November 13, 2020 11:21 AM
To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
Subject: FW: Vulnerabilities in SOLR 8.6.2
This is my 5th attempt in the last 60 days
Is there anyone looking at these mails?
Does anyone care?? :(
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
From: Narayanan, Lakshmi <la...@mmc.com>>
Sent: Thursday, October 22, 2020 1:06 PM
To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
Subject: FW: Vulnerabilities in SOLR 8.6.2
This is my 4th attempt to contact
Please advise, if there is a build that fixes these vulnerabilities
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
From: Narayanan, Lakshmi <la...@mmc.com>>
Sent: Sunday, October 18, 2020 4:01 PM
To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
Subject: FW: Vulnerabilities in SOLR 8.6.2
SOLR-User Support team
Is there anyone who can answer my question or can point to someone who can help
I have not had any response for the past 3 weeks !?
Please advise
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
From: Narayanan, Lakshmi <la...@mmc.com>>
Sent: Sunday, October 04, 2020 2:11 PM
To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
Cc: Chattopadhyay, Salil <sa...@mmc.com>>; Mutnuri, Vishnu D <vi...@mmc.com>>; Pathak, Omkar <om...@mmc.com>>; Shenouda, Nasir B <na...@mmc.com>>
Subject: RE: Vulnerabilities in SOLR 8.6.2
Hello Solr-User Support team
Please advise or provide further guidance on the request below
Thank you!
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
From: Narayanan, Lakshmi <la...@mmc.com>>
Sent: Monday, September 28, 2020 1:52 PM
To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
Cc: Chattopadhyay, Salil <sa...@mmc.com>>; Mutnuri, Vishnu D <vi...@mmc.com>>; Pathak, Omkar <om...@mmc.com>>; Shenouda, Nasir B <na...@mmc.com>>
Subject: Vulnerabilities in SOLR 8.6.2
Importance: High
Hello Solr-User Support team
We have installed the SOLR 8.6.2 package into docker container in our DEV environment. Prior to using it, our security team scanned the docker image using SysDig and found a lot of Critical/High/Medium vulnerabilities. The full list is in the attached spreadsheet
Scan Summary
30 STOPS 190 WARNS 188 Vulnerabilities
Please advise or point us to how/where to get a package that has been patched for the Critical/High/Medium vulnerabilities in the attached spreadsheet
Your help will be gratefully received
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
________________________________
**********************************************************************
This e-mail, including any attachments that accompany it, may contain
information that is confidential or privileged. This e-mail is
intended solely for the use of the individual(s) to whom it was intended to be
addressed. If you have received this e-mail and are not an intended recipient,
any disclosure, distribution, copying or other use or
retention of this email or information contained within it are prohibited.
If you have received this email in error, please immediately
reply to the sender via e-mail and also permanently
delete all copies of the original message together with any of its attachments
from your computer or device.
**********************************************************************
RE: Vulnerabilities in SOLR 8.8.2
Posted by "Narayanan, Lakshmi" <la...@mmc.com.INVALID>.
Hello SOLR Support team
This is my monthly check on this subject
Is someone listening out there to help me with my question below please?
Please advise
Thank you
From: Narayanan, Lakshmi <la...@mmc.com>
Sent: Monday, July 05, 2021 1:27 PM
To: solr-user@lucene.apache.org; users@solr.apache.org
Subject: RE: Vulnerabilities in SOLR 8.8.2
Hello SOLR User Support Team
Please advise, how to address these vulnerabilities in SOLR package
This is preventing us from going live
Please advise, if this needs to be sent to any other teams within SOLR user support
Thank you
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
From: Narayanan, Lakshmi <la...@mmc.com>>
Sent: Monday, June 07, 2021 4:28 PM
To: solr-user@lucene.apache.org<ma...@lucene.apache.org>; users@solr.apache.org<ma...@solr.apache.org>
Subject: RE: Vulnerabilities in SOLR 8.8.2
Sending to users@solr.apache.org<ma...@solr.apache.org>
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
From: Narayanan, Lakshmi <la...@mmc.com>>
Sent: Monday, June 07, 2021 3:28 PM
To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
Subject: Vulnerabilities in SOLR 8.8.2
Hello SOLR-User Support team
Please advise if there is resolution to the vulnerabilities listed below in SOLR 8.8.2
This is preventing us from using the SOLR product
I have tried to contact this mailgroup fro support before;
Please advise if there is another mailgroup I can reach for SOLR Support?
Thank you
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
Vulnerability
Severity
Package
Package Version
Package Type
Package Path
URL
Fix
Stop
Grace Period Stop
Known Warn
VULNDB-180024
High
derby
10.9.1.0
java
/opt/solr-8.8.2/example/example-DIH/solr/db/lib/derby-10.9.1.0.jar
https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-180024
10.14.2.0
True
False
False
VULNDB-247944
High
hadoop
3.2.0
java
/opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-annotations-3.2.0.jar
https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-247944
2.10.1, 3.1.4, 3.2.2, 3.3.0
True
False
False
VULNDB-247944
High
hadoop
3.2.0
java
/opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-auth-3.2.0.jar
https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-247944
2.10.1, 3.1.4, 3.2.2, 3.3.0
True
False
False
VULNDB-247944
High
hadoop
3.2.0
java
/opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-common-3.2.0.jar
https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-247944
2.10.1, 3.1.4, 3.2.2, 3.3.0
True
False
False
VULNDB-247944
High
hadoop
3.2.0
java
/opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/hadoop-hdfs-client-3.2.0.jar
https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-247944
2.10.1, 3.1.4, 3.2.2, 3.3.0
True
False
False
VULNDB-223108
High
jackson-databind
2.4.0
java
/opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/htrace-core4-4.1.0-incubating.jar:jackson-databind
https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-223108
2.8.11.5, 2.9.10.3
True
False
False
VULNDB-214563
High
jackson-databind
2.4.0
java
/opt/solr-8.8.2/server/solr-webapp/webapp/WEB-INF/lib/htrace-core4-4.1.0-incubating.jar:jackson-databind
https://mgti-dal-so-sysdig.mrshmc.com:443/secure/#/scanning/vulnerabilities/VULNDB-214563
2.10.0, 2.9.10.1
True
False
False
From: Narayanan, Lakshmi <la...@mmc.com>>
Sent: Friday, December 11, 2020 11:50 AM
To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
Subject: FW: Vulnerabilities in SOLR 8.6.2
Can anyone please advise?
Who else should be notified to get some guidance on this please??
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
From: Narayanan, Lakshmi <la...@mmc.com>>
Sent: Friday, November 13, 2020 11:21 AM
To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
Subject: FW: Vulnerabilities in SOLR 8.6.2
This is my 5th attempt in the last 60 days
Is there anyone looking at these mails?
Does anyone care?? :(
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
From: Narayanan, Lakshmi <la...@mmc.com>>
Sent: Thursday, October 22, 2020 1:06 PM
To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
Subject: FW: Vulnerabilities in SOLR 8.6.2
This is my 4th attempt to contact
Please advise, if there is a build that fixes these vulnerabilities
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
From: Narayanan, Lakshmi <la...@mmc.com>>
Sent: Sunday, October 18, 2020 4:01 PM
To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
Subject: FW: Vulnerabilities in SOLR 8.6.2
SOLR-User Support team
Is there anyone who can answer my question or can point to someone who can help
I have not had any response for the past 3 weeks !?
Please advise
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
From: Narayanan, Lakshmi <la...@mmc.com>>
Sent: Sunday, October 04, 2020 2:11 PM
To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
Cc: Chattopadhyay, Salil <sa...@mmc.com>>; Mutnuri, Vishnu D <vi...@mmc.com>>; Pathak, Omkar <om...@mmc.com>>; Shenouda, Nasir B <na...@mmc.com>>
Subject: RE: Vulnerabilities in SOLR 8.6.2
Hello Solr-User Support team
Please advise or provide further guidance on the request below
Thank you!
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
From: Narayanan, Lakshmi <la...@mmc.com>>
Sent: Monday, September 28, 2020 1:52 PM
To: solr-user@lucene.apache.org<ma...@lucene.apache.org>
Cc: Chattopadhyay, Salil <sa...@mmc.com>>; Mutnuri, Vishnu D <vi...@mmc.com>>; Pathak, Omkar <om...@mmc.com>>; Shenouda, Nasir B <na...@mmc.com>>
Subject: Vulnerabilities in SOLR 8.6.2
Importance: High
Hello Solr-User Support team
We have installed the SOLR 8.6.2 package into docker container in our DEV environment. Prior to using it, our security team scanned the docker image using SysDig and found a lot of Critical/High/Medium vulnerabilities. The full list is in the attached spreadsheet
Scan Summary
30 STOPS 190 WARNS 188 Vulnerabilities
Please advise or point us to how/where to get a package that has been patched for the Critical/High/Medium vulnerabilities in the attached spreadsheet
Your help will be gratefully received
Lakshmi Narayanan
Marsh & McLennan Companies
121 River Street, Hoboken,NJ-07030
201-284-3345
M: 845-300-3809
Email: Lakshmi.narayanan@mmc.com<ma...@mmc.com>
________________________________
**********************************************************************
This e-mail, including any attachments that accompany it, may contain
information that is confidential or privileged. This e-mail is
intended solely for the use of the individual(s) to whom it was intended to be
addressed. If you have received this e-mail and are not an intended recipient,
any disclosure, distribution, copying or other use or
retention of this email or information contained within it are prohibited.
If you have received this email in error, please immediately
reply to the sender via e-mail and also permanently
delete all copies of the original message together with any of its attachments
from your computer or device.
**********************************************************************