Additional information - We are using Solr 9.8.1 and vulnerability is detected in solr-webapp/webapp/WEB-INF/lib/netty-handler-4.1.114.Final.jar. Wanted to check what would be the mitigation for this in Solr*. *Since there is no mention of this CVE on the Solr security page <https://solr.apache.org/security.html> wondering if we should take any action to mitigate this vulnerability.
On Wed, Apr 9, 2025 at 4:00 PM Vijay Mhaskar <vijaymhas...@gmail.com> wrote: > Hello, > > I’m trying to understand the impact of CVE-2025-24970 > <https://nvd.nist.gov/vuln/detail/CVE-2025-24970>, which appears to be > related to Netty. I couldn't find any mention of this CVE in the official > Solr security page, it's neither listed under exploitable nor in > not-exploitable vulnerabilities. > > From my initial investigation, it seems this vulnerability comes via > ZooKeeper, and it seems to be addressed recently in the ZooKeeper project > as part of ZOOKEEPER-4897 > <https://issues.apache.org/jira/browse/ZOOKEEPER-4897>. > > Could someone help clarify the following: > > - Does this CVE affect Solr, in either standalone or cloud mode? > - Is there any ongoing effort to update this dependency in Solr to > include this fix? > - I couldn't find any relevant Jira issue on the Solr board, is there > already a ticket open, or would it make sense to create one? > > > Any guidance would be greatly appreciated! > > > Thank you > Vijay > -- -- Vijay
