Hi Guys, One of the cool things Lucidworks did was to publish AND REPEATEDLY UPDATE all the CVE stuff. In addition to supporting their own Fusion product, Lucid also does quite a bit of Solr work and communications.
If you go on the public support site (no login needed), you can just search for CVE info: https://support.lucidworks.com/hc/en-us/search?utf8=✓&query=cve They've got 4 or 5 notes.. If you managed to read them all and make notes, you'll have a very good picture of the situation. ALSO, just because a CVE issue exists, often there must also be very specific configuration or use pattern to trigger the breach. BUT, if you're not using those particular features, the specific CVE risk may not even be feasible in your locked down setup. Lucid really took this seriously. I hope some of that helps. -- Mark Bennett / mbenn...@ideaeng.com / Cell: 408-829-6513 On Tue, Aug 22, 2023 at 5:20 AM Jan Høydahl <jan....@cominvent.com> wrote: > Hi, > > It would be helpful if you instead of copy/pasting 10 CVE numbers, could > break it up and list one by one with its title and summary, and why you > have reason to worry that it is a problem for Solr. > > Then our team can consider each one you believe to be problematic, and > decide whether we are vulnerable or not, and perhaps update the list at > https://solr.apache.org/security.html#cve-reports-for-apache-solr-dependencies > with the findings. We also accept Pull Requests for that page at > https://github.com/apache/solr-site > > Jan > > > 22. aug. 2023 kl. 13:03 skrev Tim Pfeifer (ext) <tim.pfeifer....@devk.de > .INVALID>: > > > > Dear Apache Solr Community, > > > > We are currently in the process of migrating to AWS Cloud, and as part > of this transition, we scanned our existing Apache Solr 8.11.2 with > AquaSec. Several critical security vulnerabilities have emerged from this > scan. > > > > While many of the identified CVEs are already listed on > https://solr.apache.org/security.html and labeled as "not affected", > there are some for which we couldn't find any information. We would like to > know if Apache Solr is affected by the following CVEs: > > > > * CVE-2018-11307 > > * CVE-2018-14718 > > * CVE-2019-14892 > > * CVE-2019-16943 > > * CVE-2019-17267 > > * CVE-2019-17531 > > * CVE-2019-20330 > > * CVE-2020-8840 > > * CVE-2020-9547 > > * CVE-2020-9548 > > > > This information is crucial for us to ensure that our deployment is > secure and approved by our security department. Any information or advice > you can provide regarding the aforementioned CVEs would be greatly > appreciated. > > > > In conclusion, I thank you in advance for your time and support. Please > let me know if you need any additional information or if I should clarify > my request further. I will patiently await your response and am open to any > feedback or suggestions. > > > > Warm regards, > > Tim > >
