Hi Colvin, guess you are right. As I said, "FileBackedOutputStream" isn't used anywhere and guava does not seem to use it internally, either.
In Solr 9.2.1 guava is also included via auto-value-1.10.1.jar but that library does not seem to use "FileBackedOutputStream", either. All in all, this appears to be a false positive for both versions of Solr (9.2.1 and 9.3). Happy to receive a note if I am wrong and there is indeed an issue. Thanks a lot! Stefan From: Colvin Cowie <colvin.cowie....@gmail.com> Date: Monday, 21. August 2023 at 14:45 To: users@solr.apache.org <users@solr.apache.org> Subject: Re: HIGH CVE-2023-2976 in Solr 9.3.0 [Sie erhalten nicht häufig E-Mails von colvin.cowie....@gmail.com. Weitere Informationen, warum dies wichtig ist, finden Sie unter https://aka.ms/LearnAboutSenderIdentification ] Okay yes, I see it. I can't speak for Hadoop, but it certainly doesn't seem like Hadoop uses that class - they're still to update their Guava dependency: https://github.com/apache/hadoop-thirdparty/pull/23. I assume they would have sorted that out immediately if they were vulnerable. AFAIK Solr only includes Hadoop for use of the HDFS filesystem, so if you're not using HDFS, the Hadoop dependency won't be used anyway. On Mon, 21 Aug 2023 at 13:08, Pieper, Stefan <stefan.pie...@coremedia.com.invalid> wrote: > Hi Colvin, > > I do "trivy image solr:9.3.0" and receive this: > > com.google.guava:guava (hadoop-shaded-guava-1.1.1.jar) > com.google.guava:guava (hadoop-client-runtime-3.3.5.jar) > > So, it's shaded via hadoop. But I was just about to answer my own request > anyhow: I checked hadoop source for release 3.3.5 and could not find any > mention of the problematic class "FileBackedOutputStream". So, maybe this > is not a problem at all? > > Stefan > > From: Colvin Cowie <colvin.cowie....@gmail.com> > Date: Monday, 21. August 2023 at 13:19 > To: users@solr.apache.org <users@solr.apache.org> > Subject: Re: HIGH CVE-2023-2976 in Solr 9.3.0 > [Sie erhalten nicht häufig E-Mails von colvin.cowie....@gmail.com. > Weitere Informationen, warum dies wichtig ist, finden Sie unter > https://aka.ms/LearnAboutSenderIdentification ] > > Hello. Solr 9.3.0 itself shipped with guava-32.0.1-jre. Where exactly are > you seeing the old version? > > On Mon, 21 Aug 2023 at 11:59, Pieper, Stefan > <stefan.pie...@coremedia.com.invalid> wrote: > > > Hi there, > > > > > > > > a trivy image scan on solr:9.3.0 reveals CVE-2023-2976, rated HIGH, for > > com.google.guava:guava: 30.1.1-jre. I fail to find any information on > > relevance of this to Solr or Hadoop which introduces the dependency. > > > > > > > > Can you provide information on the severity of this CVE in context of > Solr? > > > > > > > > Thanks! > > > > Stefan > > > > > > > > -- > > > > Stefan Pieper > > Senior Software Engineer > > > > [image: A picture containing graphics, graphic design, font, logo > > Description automatically generated] <https://www.coremedia.com/> > > > > > > > > *Elevate Experience. Drive Impact.* > > > > > > E-Mail: stefan.pie...@coremedia.com > > > > *www.coremedia.com* <https://www.coremedia.com/> > > > > [image: A pink and red letter on a black background Description > > automatically generated with low confidence] > > <https://www.linkedin.com/company/coremedia-corp/>[image: A logo of a > > camera Description automatically generated with low confidence] > > <https://www.instagram.com/coremediacc/>[image: A picture containing > > colorfulness, screenshot, graphics, red Description automatically > generated] > > <https://www.youtube.com/channel/UC3u29ExYv1263SfUBWnsgdQ>[image: A pink > > bird with wings Description automatically generated with low confidence] > > <https://twitter.com/coremedia?lang=en> > > > > [image: signature_3139397413] > > < > https://resources.ecovadis.com/library/ecovadis-medals-recognizing-our-customers-achievements > > > > > > > > > -------------------------------------------------------------------------------- > > > > CoreMedia GmbH > > > > Rödingsmarkt 9, 20459 Hamburg, Germany > > > > Managing Director: Sören Stamer > > > > Commercial Register: Amtsgericht Hamburg, HRB 162480 > > > > > > > -------------------------------------------------------------------------------- > > > > > > >
