Hi,
We are using SOLR 8.11.2 both classic and containerised/docker.
We have an internal security scanner and it contains multiple types of scans.
On the latest scans we have:
Critical
CVE-2015-1832 : org.apache.derby:derby 10.9.1.0
: org.apache.derby:derby 10.9.1.0
Critical
CVE-2017-15095 : com.fasterxml.jackson.core:jackson-databind 2.4.0
: com.fasterxml.jackson.core:jackson-databind 2.4.0
Critical
CVE-2018-11307 : com.fasterxml.jackson.core:jackson-databind 2.4.0
: com.fasterxml.jackson.core:jackson-databind 2.4.0
Critical
CVE-2018-14718 : com.fasterxml.jackson.core:jackson-databind 2.4.0
: com.fasterxml.jackson.core:jackson-databind 2.4.0
High
CVE-2018-5968 : com.fasterxml.jackson.core:jackson-databind 2.4.0
: com.fasterxml.jackson.core:jackson-databind 2.4.0
Critical
CVE-2018-7489 : com.fasterxml.jackson.core:jackson-databind 2.4.0
: com.fasterxml.jackson.core:jackson-databind 2.4.0
Critical
CVE-2019-14540 : com.fasterxml.jackson.core:jackson-databind 2.4.0
: com.fasterxml.jackson.core:jackson-databind 2.4.0
Critical
CVE-2019-14893 : com.fasterxml.jackson.core:jackson-databind 2.4.0
: com.fasterxml.jackson.core:jackson-databind 2.4.0
Critical
CVE-2019-16335 : com.fasterxml.jackson.core:jackson-databind 2.4.0
: com.fasterxml.jackson.core:jackson-databind 2.4.0
Critical
CVE-2019-16942 : com.fasterxml.jackson.core:jackson-databind 2.4.0
: com.fasterxml.jackson.core:jackson-databind 2.4.0
Critical
CVE-2019-16943 : com.fasterxml.jackson.core:jackson-databind 2.4.0
: com.fasterxml.jackson.core:jackson-databind 2.4.0
Critical
CVE-2019-17267 : com.fasterxml.jackson.core:jackson-databind 2.4.0
: com.fasterxml.jackson.core:jackson-databind 2.4.0
Critical
CVE-2019-17531 : com.fasterxml.jackson.core:jackson-databind 2.4.0
: com.fasterxml.jackson.core:jackson-databind 2.4.0
Critical
CVE-2019-20330 : com.fasterxml.jackson.core:jackson-databind 2.4.0
: com.fasterxml.jackson.core:jackson-databind 2.4.0
High
CVE-2020-10650 : com.fasterxml.jackson.core:jackson-databind 2.4.0
: com.fasterxml.jackson.core:jackson-databind 2.4.0
High
CVE-2020-35490 : com.fasterxml.jackson.core:jackson-databind 2.4.0
: com.fasterxml.jackson.core:jackson-databind 2.4.0
High
CVE-2020-35491 : com.fasterxml.jackson.core:jackson-databind 2.4.0
: com.fasterxml.jackson.core:jackson-databind 2.4.0
High
CVE-2020-36518 : com.fasterxml.jackson.core:jackson-databind 2.4.0
: com.fasterxml.jackson.core:jackson-databind 2.4.0
High
CVE-2021-22573 : com.google.oauth-client:google-oauth-client 1.32.1
: com.google.oauth-client:google-oauth-client 1.32.1
High
CVE-2021-33813 : org.jdom:jdom2 2.0.6
: org.jdom:jdom2 2.0.6
Critical
CVE-2021-37404 : org.apache.hadoop:hadoop-common 3.2.2
: org.apache.hadoop:hadoop-common 3.2.2
High
CVE-2022-2048 : org.eclipse.jetty.http2:http2-server 9.4.44.v20210927
: org.eclipse.jetty.http2:http2-server 9.4.44.v20210927
Critical
CVE-2022-25168 : org.apache.hadoop:hadoop-common 3.2.2
: org.apache.hadoop:hadoop-common 3.2.2
High
CVE-2022-25647 : com.google.code.gson:gson 2.7
: com.google.code.gson:gson 2.7
Critical
CVE-2022-26612 : org.apache.hadoop:hadoop-common 3.2.2
: org.apache.hadoop:hadoop-common 3.2.2
High
CVE-2022-3171 : com.google.protobuf:protobuf-java 3.11.0
: com.google.protobuf:protobuf-java 3.11.0
High
CVE-2022-36364 : org.apache.calcite.avatica:avatica-core 1.18.0
: org.apache.calcite.avatica:avatica-core 1.18.0
Critical
CVE-2022-39135 : org.apache.calcite:calcite-core 1.27.0
: org.apache.calcite:calcite-core 1.27.0
High
CVE-2022-40151 : com.fasterxml.woodstox:woodstox-core 6.2.4
: com.fasterxml.woodstox:woodstox-core 6.2.4
High
CVE-2022-40152 : com.fasterxml.woodstox:woodstox-core 6.2.4
: com.fasterxml.woodstox:woodstox-core 6.2.4
Critical
CVE-2022-41853 : org.hsqldb:hsqldb 2.4.0
: org.hsqldb:hsqldb 2.4.0
High
CVE-2022-42003 : com.fasterxml.jackson.core:jackson-databind 2.13.4
: com.fasterxml.jackson.core:jackson-databind 2.13.4
High
CVE-2022-42003 : com.fasterxml.jackson.core:jackson-databind 2.4.0
: com.fasterxml.jackson.core:jackson-databind 2.4.0
High
CVE-2022-42004 : com.fasterxml.jackson.core:jackson-databind 2.4.0
: com.fasterxml.jackson.core:jackson-databind 2.4.0
High
CVE-2022-47629 : libksba 1.3.5-8.el8_6
: libksba 1.3.5-8.el8_6
We know some of them are covered in
https://solr.apache.org/security.html#cve-reports-for-apache-solr-dependencies
but not all.
We have also seen the
https://lists.apache.org/thread/539bkq8r11msjpl3yo1ssvy77kmdrps7
Can we have a resolution for the above?
Thanks,
Razvan Bolocan
