Hello team, I was reading about the commons-text vulnerability, but I could not assure the recommended action by SOLR regarding this issue, I have read that version 1.10 does not have this security issue, but is there a patch for SOLR or is SOLR not affected by it, please advise. Currently I have SOLR 8.11 is it better to upgrade to version 9 or there is remedy or no issue for version 8.11 ?
This is what I found on Aptech page: On 2022-10-13, the Apache Commons Text<https://commons.apache.org/proper/commons-text> team disclosed CVE-2022-42889<https://www.cve.org/CVERecord?id=CVE-2022-42889>. Key takeaways: * If you rely on software that uses a version of commons-text prior to 1.10.0, you are likely still not vulnerable: you are only affected when this software uses the StringSubstitutor API without properly sanitizing any untrusted input. * If your own software uses commons-text, double-check whether it uses the StringSubstitutor API without properly sanitizing any untrusted input. If so, an update to 1.10.0 could be a quick workaround, but the recommended solution is to also properly validate and sanitize any untrusted input. Apache Commons Text is a low-level library for performing various text operations, such as escaping, calculating string differences, and substituting placeholders in the text with values looked up through interpolators. When using the string substitution feature, some of the available interpolators can trigger network access or code execution. This is intended, but it also means an application that includes user input in the string passed to the substitution without properly sanitizing it would allow an attacker to trigger those interpolators. For that reason the Apache Commons Text team have decided to update the configuration to be more "secure by default", so that the impact of a failure to validate inputs is mitigated and will not give an attacker access to these interpolators. However, it is still recommended that users treat untrusted input with care. >From URL: Time-Consuming Remediation: Assessing the Impact of Text4Shell | >eSecurityPlanet<https://www.esecurityplanet.com/threats/text4shell-vulnerability/> Thanks!! [1513779001828]<http://www.tn.gov/finance> Arwa Daqqaq, CEDA | Business Intelligence Specialist Center for Enterprise Data & Analytics (CEDA) Enterprise Business Intelligence Supporting the Department of Finance & Administration - Strategic Technology Solutions (STS) 901 Rep. John Lewis Way North, Nashville, TN 37243 Office: 615-741-2404 | Mobile: 615-424-8221 arwa.daq...@tn.gov<mailto:arwa.daq...@tn.gov> [facebook]<https://www.facebook.com/financeandadministration/?__tn__=%2Cd%2CP-R&eid=ARAetgzmE21v1kd0uEZ9D-EGr3MvDUsmse6nSFu6vgH6nrbDq_TgXG9gPCncSN2T1mPN6J2zH1jsbt-l> [twitter] <https://twitter.com/TNDeptofFandA?s=17> [pinterest] <https://www.pinterest.com/ParTNers4Health/> [youtube] <https://www.youtube.com/channel/UCQh6mzV5_N_jYzZD94GLc6w> [linkedin] <https://www.linkedin.com/company/tn-dept-of-finance-and-administration/> [cid:image007.jpg@01D8F939.66CAABC0]<https://stateoftennessee.formstack.com/forms/sts_howsmyservice>
