Hi, The jose4j attack would affect the `jwt-auth` module, but only if JWT payload is encrypted with RSA1_5 or RSA_OAEP algos, which is something you setup in your Identity Provider, and has been discouraged for years. So I would not expect it to be anything to worry about.
Likewise 'wget' command requires you to first breach into the machine and obtain shell access, as wget is not used by Solr. Jan > 21. aug. 2023 kl. 16:30 skrev Pieper, Stefan > <stefan.pie...@coremedia.com.INVALID>: > > Hello, > > I only checked the Solr Docker image but I assume that > > https://access.redhat.com/security/cve/CVE-2021-31879 affects only the Docker > image as it refers to a security problem with command line tool "wget" which > may be used in an updated (fixed) version when installing without the Docker > image. I doubt that Solr itself calls "wget" – it's probably only used for > setting up the Docker image. > > https://github.com/advisories/GHSA-jgvc-jfgh-rjvv is about a JAR dependency > (org.bitbucket.b_c:jose4j) and thus a candidate for a real issue (though only > severity "moderate"). I am hoping for confirmation from the Solr team that > this is a "false positive" and Solr is not affected at all. > > Best > Stefan > > From: Thomas Heldmann <thomas.heldm...@bsb-muenchen.de> > Date: Monday, 21. August 2023 at 14:26 > To: users@solr.apache.org <users@solr.apache.org> > Subject: Antw: Solr Image 8.11.2 susceptible to CVE-2021-31879 and > GHSA-jgvc-jfgh-rjvv > [Sie erhalten nicht häufig E-Mails von thomas.heldm...@bsb-muenchen.de. > Weitere Informationen, warum dies wichtig ist, finden Sie unter > https://aka.ms/LearnAboutSenderIdentification ] > > Dear Mr Pieper, > > Do these security issues only affect Solr Docker image 8.11.2 or also Solr > installations on local computers and SolrCloud installations on servers (= > Solr Clusters)? > > Best regards, > Thomas Heldmann > > -- > Thomas Heldmann > Bayerische Staatsbibliothek > Verbundzentrale des Bibliotheksverbunds Bayern > Leopoldstraße 240 > 80807 München > > Tel.: 089/28638-4153 > E-Mail: thomas.heldm...@bsb-muenchen.de > > > >>>> "Pieper, Stefan" <stefan.pie...@coremedia.com.INVALID> schrieb am >>>> 21.08.2023 um > 13:39: >> Hi, >> >> security scans on the Solr Docker image 8.11.2 show that this is susceptible >> to these security issues: >> >> https://github.com/advisories/GHSA‑jgvc‑jfgh‑rjvv >> https://access.redhat.com/security/cve/CVE‑2021‑31879 >> >> I am unable to find any information on possible impact and workarounds >> on/for Solr. >> >> Do you have any insights to this? >> >> Thanks! >> Stefan >> >> ‑‑ >> Stefan Pieper >> Senior Software Engineer >> [A picture containing graphics, graphic design, font, logo Description >> automatically generated]<https://www.coremedia.com/> >> >> Elevate Experience. Drive Impact. >> >> E‑Mail: stefan.pie...@coremedia.com<mailto:stefan.pie...@coremedia.com> >> www.coremedia.com<https://www.coremedia.com/> >> [A pink and red letter on a black background Description automatically >> generated with low >> confidence]<https://www.linkedin.com/company/coremedia‑corp/>[A logo of a >> camera Description automatically generated with low >> confidence]<https://www.instagram.com/coremediacc/>[A picture containing >> colorfulness, screenshot, graphics, red Description automatically >> generated]<https://www.youtube.com/channel/UC3u29ExYv1263SfUBWnsgdQ>[A pink >> bird with wings Description automatically generated with low >> confidence]<https://twitter.com/coremedia?lang=en> >> [signature_59562659]<https://resources.ecovadis.com/library/ecovadis‑medals‑rec >> ognizing‑our‑customers‑achievements> >> ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ >> CoreMedia GmbH >> Rödingsmarkt 9, 20459 Hamburg, Germany >> Managing Director: Sören Stamer >> Commercial Register: Amtsgericht Hamburg, HRB 162480 >> ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑
