Those CVEs all appear to relate to old Jackson versions. Solr 8.11.2 includes jackson 2.13.3 which is not affected by those CVEs. So I'm not sure why a scanner would even flag those CVEs, unless they're transitively referenced by other dependencies.
On Tue, 22 Aug 2023 at 13:02, Mark Bennett <mbenn...@ideaeng.com> wrote: > Hi Guys, > > One of the cool things Lucidworks did was to publish AND REPEATEDLY UPDATE > all the CVE stuff. In addition to supporting their own Fusion product, > Lucid also does quite a bit of Solr work and communications. > > If you go on the public support site (no login needed), you can just search > for CVE info: > > https://support.lucidworks.com/hc/en-us/search?utf8=✓&query=cve > > They've got 4 or 5 notes.. If you managed to read them all and make notes, > you'll have a very good picture of the situation. > > ALSO, just because a CVE issue exists, often there must also be very > specific configuration or use pattern to trigger the breach. BUT, if > you're not using those particular features, the specific CVE risk may not > even be feasible in your locked down setup. > > Lucid really took this seriously. > > I hope some of that helps. > > > -- > Mark Bennett / mbenn...@ideaeng.com / Cell: 408-829-6513 > > > On Tue, Aug 22, 2023 at 5:20 AM Jan Høydahl <jan....@cominvent.com> wrote: > > > Hi, > > > > It would be helpful if you instead of copy/pasting 10 CVE numbers, could > > break it up and list one by one with its title and summary, and why you > > have reason to worry that it is a problem for Solr. > > > > Then our team can consider each one you believe to be problematic, and > > decide whether we are vulnerable or not, and perhaps update the list at > > > https://solr.apache.org/security.html#cve-reports-for-apache-solr-dependencies > > with the findings. We also accept Pull Requests for that page at > > https://github.com/apache/solr-site > > > > Jan > > > > > 22. aug. 2023 kl. 13:03 skrev Tim Pfeifer (ext) < > tim.pfeifer....@devk.de > > .INVALID>: > > > > > > Dear Apache Solr Community, > > > > > > We are currently in the process of migrating to AWS Cloud, and as part > > of this transition, we scanned our existing Apache Solr 8.11.2 with > > AquaSec. Several critical security vulnerabilities have emerged from this > > scan. > > > > > > While many of the identified CVEs are already listed on > > https://solr.apache.org/security.html and labeled as "not affected", > > there are some for which we couldn't find any information. We would like > to > > know if Apache Solr is affected by the following CVEs: > > > > > > * CVE-2018-11307 > > > * CVE-2018-14718 > > > * CVE-2019-14892 > > > * CVE-2019-16943 > > > * CVE-2019-17267 > > > * CVE-2019-17531 > > > * CVE-2019-20330 > > > * CVE-2020-8840 > > > * CVE-2020-9547 > > > * CVE-2020-9548 > > > > > > This information is crucial for us to ensure that our deployment is > > secure and approved by our security department. Any information or advice > > you can provide regarding the aforementioned CVEs would be greatly > > appreciated. > > > > > > In conclusion, I thank you in advance for your time and support. Please > > let me know if you need any additional information or if I should clarify > > my request further. I will patiently await your response and am open to > any > > feedback or suggestions. > > > > > > Warm regards, > > > Tim > > > > >
