You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@solr.apache.org by "David Smiley (Jira)" <ji...@apache.org> on 2021/12/22 05:22:00 UTC

[jira] [Commented] (SOLR-15855) CVEs in shadowed dependencies

    [ https://issues.apache.org/jira/browse/SOLR-15855?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17463586#comment-17463586 ] 

David Smiley commented on SOLR-15855:
-------------------------------------

I made this issue "public" because private issues are for discussing non-public information.

AFAIK, HTrace has to be expressly enabled.  Right [~mdrob]?

Test-framework: We could easily clamp down on our dockerfile to remove the test framework and its dependencies.  That'd be its own issue for Solr 9 here in the project.  If you wish to affect 8.11.x, it's in another place: https://github.com/docker-solr/docker-solr


> CVEs in shadowed dependencies
> -----------------------------
>
>                 Key: SOLR-15855
>                 URL: https://issues.apache.org/jira/browse/SOLR-15855
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: 8.11.1
>            Reporter: Chris Adams
>            Priority: Major
>
> Our Solr deployments had a number of CVEs flagged due to shadowed dependencies in some non-core components:
>  *  htrace-core4 pulls in jackson-databind, and hasn't been updated in many years since the project shut down around 2016. This leaves around 50 critical CVEs — although it's not clear whether any of these are actually exploitable in the Solr configuration it will generate a lot of noise for Solr users in security-conscious environments.
> This doesn't appear to be a hard dependency for Solr in normal use but I see that the HBase project has a plan to replace it with a shim: https://issues.apache.org/jira/browse/HBASE-24802
>  * The test framework pulls in junit4-ant which has an old simple-xml vulnerable to [CVE-2017-1000190|https://nvd.nist.gov/vuln/detail/CVE-2017-1000190]: /opt/solr-8.11.1/dist/test-framework/lib/junit4-ant-2.7.2.jar



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org