CVEs (vulnerabilities) that apply to Solr 8.4.1
Our TRM team (Technology Risk Management) has provided us with the attached vulnerabilities analysis for Solr 8.4.1, (security issues extracted below.)
Has anyone out there in the Solr community done anything to document workarounds or mitigations for any of these identified vulnerabilities in Solr 8.4.1? Does anyone know if work to address these issues is happening for subsequent releases?
Any and all comments will be greatly appreciated!
From their analysis:
Security Issues
Threat Level Problem Code Component Status
9 sonatype-2019-0115 jQuery 1.7.1 Open
sonatype-2019-0115 com.carrotsearch.randomizedtesting : junit4-ant : 2.7.2 Open
CVE-2015-1832http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1832 org.apache.derby : derby : 10.9.1.0 Open
CVE-2015-1832http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1832 org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
CVE-2017-1000190http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000190 org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
sonatype-2019-0115 org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
sonatype-2019-0494 org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
8 CVE-2019-10088http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10088 org.apache.tika : tika-core : 1.19.1 Open
CVE-2019-10088http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10088 org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
7 CVE-2012-0881http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881 apache-xerces : xercesImpl : 2.9.1 Open
CVE-2013-4002 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002 apache-xerces : xercesImpl : 2.9.1 Open
CVE-2019-14262http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14262 com.drewnoakes : metadata-extractor : 2.11.0 Open
CVE-2019-12402http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402 org.apache.commons : commons-compress : 1.18 Open
CVE-2019-10094http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10094 org.apache.tika : tika-core : 1.19.1 Open
CVE-2012-0881 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881 org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
CVE-2013-4002 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002 org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
CVE-2014-0114 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114 org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
CVE-2019-10094http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10094 org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
CVE-2019-12086http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086 org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
CVE-2019-12402http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402 org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
CVE-2019-14262http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14262 org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
CVE-2019-17558http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17558 org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
6 sonatype-2014-0026 jQuery 1.7.1 Open
sonatype-2014-0026 com.carrotsearch.randomizedtesting : junit4-ant : 2.7.2 Open
sonatype-2018-0330 org.apache.ant : ant : 1.8.2 Open
CVE-2018-17197http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17197 org.apache.tika : tika-core : 1.19.1 Open
CVE-2018-17197http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17197 org.apache.tika : tika-parsers : 1.19.1 Open
CVE-2019-10093 org.apache.tika : tika-parsers : 1.19.1 Open
sonatype-2018-0469 org.apache.zookeeper : zookeeper : 3.5.5 Open
CVE-2018-17197http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17197 org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
CVE-2019-10093http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10093 org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
sonatype-2014-0026 org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
sonatype-2018-0330 org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
5 CVE-2009-2625 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625 apache-xerces : xercesImpl : 2.9.1 Open
sonatype-2017-0348 apache-xerces : xercesImpl : 2.9.1 Open
sonatype-2012-0050 commons-codec : commons-codec : 1.11 Open
sonatype-2014-0173 commons-fileupload : commons-fileupload : 1.3.3 Open
sonatype-2020-0026 io.netty : netty-handler : 4.1.29.Final Open
CVE-2012-2098 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098 org.apache.ant : ant : 1.8.2 Open
CVE-2019-12415http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12415 org.apache.poi : poi-ooxml : 4.0.0 Open
CVE-2018-8010 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8010 org.apache.solr : solr-core : 8.4.1 Open
CVE-2009-2625 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625 org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
CVE-2012-2098 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098 org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
CVE-2018-8010 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8010 org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
CVE-2019-12415http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12415 org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
sonatype-2012-0050 org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
sonatype-2014-0173 org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
sonatype-2017-0348 org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
4 sonatype-2017-0492 com.sun.mail : javax.mail : 1.5.1 Open
sonatype-2017-0492 org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
Christopher Ahlberg
Director
Middleware Plat & Foundation
DTCC New York
+1 212 855-3995 | cahlberg@dtcc.comname@dtcc.com
[cid:image002.png@01D5FEA1.80E1F760]
Visit us at www.dtcc.comhttp://www.dtcc.com or connect with us on LinkedInhttps://www.linkedin.com/company/6915?trk=tyah&trkInfo=clickedVertical%3Acompany%2CclickedEntityId%3A6915%2Cidx%3A4-2-11%2CtarId%3A1469742786610%2Ctas%3Adtcc, Twitterhttps://twitter.com/The_DTCC, Facebookhttps://www.facebook.com/thedtcc and YouTubehttps://www.youtube.com/channel/UCi4dnJzd498IvBqP3wnUqpA.
To learn about career opportunities at DTCC, please visit careers.dtcc.comhttp://careers.dtcc.com/.
DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
トピックへ返信するには、ログインが必要です。