On 8/25/23 02:19, Tim Pfeifer (ext) wrote:
Firstly, I appreciate the Lucidworks resource shared earlier. However, it doesn't cover the CVEs related to jackson-databind that I've outlined below. These vulnerabilities are a point of concern for our security department.
In version 8.11.2, Solr itself includes jackson 2.13.3, so it is not vulnerable. The htrace jar (one of Solr's dependencies for HDFS-based indexes) includes a shaded jackson 2.4.0. If you are not using HDFS for storage of Solr indexes, you cannot be vulnerable. I suspect that even if you are using HDFS and have trace-level logging enabled for it, jackson is probably used in a way that isn't vulnerable, but I cannot guarantee this, because I do not have details about the inner workings of jackson. You might need to check with the HBase project for more info about that.
If you ensure that Solr is not reachable on the network by attackers and sanitize all input sent to Solr for indexing and queries, it is very unlikely that any vulnerabilities that Solr has can be exploited.
Thanks, Shawn
