On 4/15/22 00:41, Rajath Banagi Ravindra wrote:
We are using Solr 7.5 version and Solr 6.4 version in our applications. Wanted to check if there is any impact due to vulnerability - CVE-2022-22963. I did googling and didn’t find any clear answers regarding same. Are Solr instances vulnerable and any action needed from our end, please let me know.
Solr does not use any Spring libraries. That is why it is not mentioned on the Security page.
Some Spring libraries are used for TESTS on the s3 backup repository. This is why the license information for Solr talks about Spring libraries. None of the test code is present in a binary download of Solr.
You do not need to worry about that CVE unless you're doing something very nonstandard that involves Spring libraries that you have added to Solr.
Thanks, Shawn
