Hello, Some customers that run security scans have seen issues with the 3.2.2 dependency as well, and asked to solve it. You can do several things: * not use Solr on HDFS, or Hadoop features, and ignore it * the same as above but delete the affected JARs * replace the JARs with their 3.3.3 or 3.3.4 counterparts
If your don't store your index on HDFS, i would just ignore it, if your IT department allows you to. Regards, Markus Op do 29 sep. 2022 om 18:48 schreef Richard Li <richard...@blueconic.com>: > Hi, > > Our vulnerability scanning tool found a vulnerability from Hadoop in Solr > 8.11.2. More specifically, it is introduced through > org.apache.solr:solr-core@8.11.2 › org.apache.hadoop:hadoop-common@3.2.2. > The published vulnerability is listed as CVE-2022-25168: > https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130 > > This vulnerability is not listed on Solr Security News, but also not under > the false positives on the SolrSecurity Confluence page. > > We were wondering if this is a real vulnerability for Solr and if in > particular Solr 8.11.2 is affected by this vulnerability? > > Thanks in advance. > > Kind regards, > > Richard >
