On 2/13/2024 10:06, Shahryar Shagoshtasbi wrote:
Thank you for your prompt response. Our scans have detected these CVEs in 9.1 and higher (At least the one we have tested). I’d highly appreciate if you could link me to the appropriate changelog for these changes.
Solr 8.11.3 was announced only five days ago. Solr 8 does not include json-smart, so it is not vulnerable to the second CVE. Version 8.11.3 includes Jetty 9.4.53, which fixes the first CVE. Version 8.11.2 is vulnerable.
Solr 9.0 includes json-smart 2.4.7. In 9.4.0 that was upgraded to version 9.4.10. All 9.x versions are not vulnerable to the second CVE.
Solr 9.0.x and 9.1.x both include a vulnerable Jetty 9 version. In Solr 9.2.0, Jetty was upgraded to Jetty 10.0.13, which is also vulnerable. But in Solr 9.4.0 it was upgraded to 10.0.17, which is not vulnerable to that CVE. In 9.4.1 and 9.5.0 it was upgraded to 10.0.19.
All versions of Solr before 8.11.3 are no longer supported. 8.11.3 is a release in maintenance mode, which means that only significant issues with no workaround will be fixed. 8.11.3 will be supported until 8.11.4 or 10.0.0 is released, and there is no guarantee that 8.11.4 will ever happen.
Although technically we are supporting all 9.x versions, vulnerabilities in older minor versions (currently 9.4.x and earlier) are only likely to be fixed in a new point release in the latest minor version (currently 9.5.x) or a new minor version.
Thanks, Shawn
