Hi Razvan, We maintain a forked branch of Solr 8.11.2 that fixes , I think, all of these. We also publish a container for that. If you're interested to learn more, let me know. Best, -Kevin https://kmwllc.com
On Thu, Feb 9, 2023 at 7:37 AM Razvan Bolocan <razvan-nicu.bolo...@microfocus.com.invalid> wrote: > Hi, > > We are using SOLR 8.11.2 both classic and > containerised/docker. > We have an internal security scanner and it contains multiple types of > scans. On the latest scans we have: > > Critical > CVE-2015-1832 : org.apache.derby:derby 10.9.1.0 > : org.apache.derby:derby 10.9.1.0 > Critical > CVE-2017-15095 : com.fasterxml.jackson.core:jackson-databind 2.4.0 > : com.fasterxml.jackson.core:jackson-databind 2.4.0 > Critical > CVE-2018-11307 : com.fasterxml.jackson.core:jackson-databind 2.4.0 > : com.fasterxml.jackson.core:jackson-databind 2.4.0 > Critical > CVE-2018-14718 : com.fasterxml.jackson.core:jackson-databind 2.4.0 > : com.fasterxml.jackson.core:jackson-databind 2.4.0 > High > CVE-2018-5968 : com.fasterxml.jackson.core:jackson-databind 2.4.0 > : com.fasterxml.jackson.core:jackson-databind 2.4.0 > Critical > CVE-2018-7489 : com.fasterxml.jackson.core:jackson-databind 2.4.0 > : com.fasterxml.jackson.core:jackson-databind 2.4.0 > Critical > CVE-2019-14540 : com.fasterxml.jackson.core:jackson-databind 2.4.0 > : com.fasterxml.jackson.core:jackson-databind 2.4.0 > Critical > CVE-2019-14893 : com.fasterxml.jackson.core:jackson-databind 2.4.0 > : com.fasterxml.jackson.core:jackson-databind 2.4.0 > Critical > CVE-2019-16335 : com.fasterxml.jackson.core:jackson-databind 2.4.0 > : com.fasterxml.jackson.core:jackson-databind 2.4.0 > Critical > CVE-2019-16942 : com.fasterxml.jackson.core:jackson-databind 2.4.0 > : com.fasterxml.jackson.core:jackson-databind 2.4.0 > Critical > CVE-2019-16943 : com.fasterxml.jackson.core:jackson-databind 2.4.0 > : com.fasterxml.jackson.core:jackson-databind 2.4.0 > Critical > CVE-2019-17267 : com.fasterxml.jackson.core:jackson-databind 2.4.0 > : com.fasterxml.jackson.core:jackson-databind 2.4.0 > Critical > CVE-2019-17531 : com.fasterxml.jackson.core:jackson-databind 2.4.0 > : com.fasterxml.jackson.core:jackson-databind 2.4.0 > Critical > CVE-2019-20330 : com.fasterxml.jackson.core:jackson-databind 2.4.0 > : com.fasterxml.jackson.core:jackson-databind 2.4.0 > High > CVE-2020-10650 : com.fasterxml.jackson.core:jackson-databind 2.4.0 > : com.fasterxml.jackson.core:jackson-databind 2.4.0 > High > CVE-2020-35490 : com.fasterxml.jackson.core:jackson-databind 2.4.0 > : com.fasterxml.jackson.core:jackson-databind 2.4.0 > High > CVE-2020-35491 : com.fasterxml.jackson.core:jackson-databind 2.4.0 > : com.fasterxml.jackson.core:jackson-databind 2.4.0 > High > CVE-2020-36518 : com.fasterxml.jackson.core:jackson-databind 2.4.0 > : com.fasterxml.jackson.core:jackson-databind 2.4.0 > High > CVE-2021-22573 : com.google.oauth-client:google-oauth-client 1.32.1 > : com.google.oauth-client:google-oauth-client 1.32.1 > High > CVE-2021-33813 : org.jdom:jdom2 2.0.6 > : org.jdom:jdom2 2.0.6 > Critical > CVE-2021-37404 : org.apache.hadoop:hadoop-common 3.2.2 > : org.apache.hadoop:hadoop-common 3.2.2 > High > CVE-2022-2048 : org.eclipse.jetty.http2:http2-server 9.4.44.v20210927 > : org.eclipse.jetty.http2:http2-server 9.4.44.v20210927 > Critical > CVE-2022-25168 : org.apache.hadoop:hadoop-common 3.2.2 > : org.apache.hadoop:hadoop-common 3.2.2 > High > CVE-2022-25647 : com.google.code.gson:gson 2.7 > : com.google.code.gson:gson 2.7 > Critical > CVE-2022-26612 : org.apache.hadoop:hadoop-common 3.2.2 > : org.apache.hadoop:hadoop-common 3.2.2 > High > CVE-2022-3171 : com.google.protobuf:protobuf-java 3.11.0 > : com.google.protobuf:protobuf-java 3.11.0 > High > CVE-2022-36364 : org.apache.calcite.avatica:avatica-core 1.18.0 > : org.apache.calcite.avatica:avatica-core 1.18.0 > Critical > CVE-2022-39135 : org.apache.calcite:calcite-core 1.27.0 > : org.apache.calcite:calcite-core 1.27.0 > High > CVE-2022-40151 : com.fasterxml.woodstox:woodstox-core 6.2.4 > : com.fasterxml.woodstox:woodstox-core 6.2.4 > High > CVE-2022-40152 : com.fasterxml.woodstox:woodstox-core 6.2.4 > : com.fasterxml.woodstox:woodstox-core 6.2.4 > Critical > CVE-2022-41853 : org.hsqldb:hsqldb 2.4.0 > : org.hsqldb:hsqldb 2.4.0 > High > CVE-2022-42003 : com.fasterxml.jackson.core:jackson-databind 2.13.4 > : com.fasterxml.jackson.core:jackson-databind 2.13.4 > High > CVE-2022-42003 : com.fasterxml.jackson.core:jackson-databind 2.4.0 > : com.fasterxml.jackson.core:jackson-databind 2.4.0 > High > CVE-2022-42004 : com.fasterxml.jackson.core:jackson-databind 2.4.0 > : com.fasterxml.jackson.core:jackson-databind 2.4.0 > High > CVE-2022-47629 : libksba 1.3.5-8.el8_6 > : libksba 1.3.5-8.el8_6 > > > We know some of them are covered in > https://solr.apache.org/security.html#cve-reports-for-apache-solr-dependencies > but not all. > We have also seen the > https://lists.apache.org/thread/539bkq8r11msjpl3yo1ssvy77kmdrps7 > Can we have a resolution for the above? > > Thanks, > Razvan Bolocan > >
