This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/solr-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 019df2b Automatic Site Publish by Buildbot
019df2b is described below
commit 019df2b94de1ff7e6f97af2aa18ffd416d937e92
Author: buildbot <[email protected]>
AuthorDate: Sat Dec 18 00:07:07 2021 +0000
Automatic Site Publish by Buildbot
---
output/feeds/all.atom.xml | 23 ++++++++++++-
output/feeds/solr/security.atom.xml | 23 ++++++++++++-
output/index.html | 2 +-
output/news.html | 20 +++++++++++
output/operator/index.html | 2 +-
output/security.html | 66 +++++++++++++++----------------------
6 files changed, 92 insertions(+), 44 deletions(-)
diff --git a/output/feeds/all.atom.xml b/output/feeds/all.atom.xml
index 47fa79b..72ba862 100644
--- a/output/feeds/all.atom.xml
+++ b/output/feeds/all.atom.xml
@@ -1,5 +1,26 @@
<?xml version="1.0" encoding="utf-8"?>
-<feed xmlns="http://www.w3.org/2005/Atom";><title>Apache Solr</title><link
href="/" rel="alternate"></link><link href="/feeds/all.atom.xml"
rel="self"></link><id>/</id><updated>2021-12-16T00:00:00+00:00</updated><subtitle></subtitle><subtitle></subtitle><entry><title>Apache
Solr™ 8.11.1 available</title><link href="/apache-solrtm-8111-available.html"
rel="alternate"></link><published>2021-12-16T00:00:00+00:00</published><updated>2021-12-16T00:00:00+00:00</updated><author><name>Solr
Develo [...]
+<feed xmlns="http://www.w3.org/2005/Atom";><title>Apache Solr</title><link
href="/" rel="alternate"></link><link href="/feeds/all.atom.xml"
rel="self"></link><id>/</id><updated>2021-12-18T00:00:00+00:00</updated><subtitle></subtitle><subtitle></subtitle><entry><title>CVE-2021-44548:
Apache Solr information disclosure vulnerability through
DataImportHandler</title><link
href="/cve-2021-44548-apache-solr-information-disclosure-vulnerability-through-dataimporthandler.html"
rel="alternate"></ [...]
+Moderate</p>
+<p><strong>Versions Affected:</strong><br>
+All versions prior to 8.11.1. Affected platforms: Windows.</p>
+<p><strong>Description:</strong><br>
+An Improper Input Validation vulnerability in DataImportHandler of Apache Solr
allows an attacker to provide a Windows UNC path resulting in an SMB network
call being made from the Solr host to another host on
…</p></summary><content
type="html"><p><strong>Severity:</strong><br>
+Moderate</p>
+<p><strong>Versions Affected:</strong><br>
+All versions prior to 8.11.1. Affected platforms: Windows.</p>
+<p><strong>Description:</strong><br>
+An Improper Input Validation vulnerability in DataImportHandler of Apache Solr
allows an attacker to provide a Windows UNC path resulting in an SMB network
call being made from the Solr host to another host on the network. If the
attacker has wider access to the network, this may lead to SMB attacks, which
may result in:</p>
+<ul>
+<li>The exfiltration of sensitive data such as OS user hashes (NTLM/LM
hashes),</li>
+<li>In case of misconfigured systems, SMB Relay Attacks which can lead
to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code
Execution</li>
+</ul>
+<p>This issue affects all Apache Solr versions prior to 8.11.1. This
issue only affects Windows.</p>
+<p><strong>Mitigation:</strong><br>
+Upgrade to Solr 8.11.1, and/or ensure only trusted clients can make requests
to Solr's DataImport handler.</p>
+<p><strong>Credit:</strong><br>
+Apache Solr would like to thank LaiHan of Nsfocus security team for reporting
the issue</p>
+<p><strong>References:</strong><br>
+Jira issue <a
href="https://issues.apache.org/jira/browse/SOLR-15826">SOLR-15826</a></p></content><category
term="solr/security"></category></entry><entry><title>Apache Solr™ 8.11.1
available</title><link href="/apache-solrtm-8111-available.html"
rel="alternate"></link><published>2021-12-16T00:00:00+00:00</published><updated>2021-12-16T00:00:00+00:00</updated><author><name>Solr
Developers</name></author><id>tag:None,2021-12-16:/apache-solrtm-8111-available.html</id><sum
[...]
<p>Solr is the popular, blazing fast, open source NoSQL search platform
from the Apache Lucene project. Its major features include powerful full-text
search, hit highlighting, faceted search, dynamic clustering, database
integration, rich document handling, and …</p></summary><content
type="html"><p>The Lucene PMC is pleased to announce the release of
Apache Solr 8.11.1.</p>
<p>Solr is the popular, blazing fast, open source NoSQL search platform
from the Apache Lucene project. Its major features include powerful full-text
search, hit highlighting, faceted search, dynamic clustering, database
integration, rich document handling, and geospatial search. Solr is highly
scalable, providing fault tolerant distributed search and indexing, and powers
the search and navigation features of many of the world's largest internet
sites.</p>
<p>Solr 8.11.1 is available for immediate download at:</p>
diff --git a/output/feeds/solr/security.atom.xml
b/output/feeds/solr/security.atom.xml
index 1f12407..4e6364e 100644
--- a/output/feeds/solr/security.atom.xml
+++ b/output/feeds/solr/security.atom.xml
@@ -1,5 +1,26 @@
<?xml version="1.0" encoding="utf-8"?>
-<feed xmlns="http://www.w3.org/2005/Atom";><title>Apache Solr -
solr/security</title><link href="/" rel="alternate"></link><link
href="/feeds/solr/security.atom.xml"
rel="self"></link><id>/</id><updated>2021-12-10T00:00:00+00:00</updated><subtitle></subtitle><subtitle></subtitle><entry><title>Apache
Solr affected by Apache Log4J CVE-2021-44228</title><link
href="/apache-solr-affected-by-apache-log4j-cve-2021-44228.html"
rel="alternate"></link><published>2021-12-10T00:00:00+00:00</publishe [...]
+<feed xmlns="http://www.w3.org/2005/Atom";><title>Apache Solr -
solr/security</title><link href="/" rel="alternate"></link><link
href="/feeds/solr/security.atom.xml"
rel="self"></link><id>/</id><updated>2021-12-18T00:00:00+00:00</updated><subtitle></subtitle><subtitle></subtitle><entry><title>CVE-2021-44548:
Apache Solr information disclosure vulnerability through
DataImportHandler</title><link
href="/cve-2021-44548-apache-solr-information-disclosure-vulnerability-through-dataimporthandle
[...]
+Moderate</p>
+<p><strong>Versions Affected:</strong><br>
+All versions prior to 8.11.1. Affected platforms: Windows.</p>
+<p><strong>Description:</strong><br>
+An Improper Input Validation vulnerability in DataImportHandler of Apache Solr
allows an attacker to provide a Windows UNC path resulting in an SMB network
call being made from the Solr host to another host on
…</p></summary><content
type="html"><p><strong>Severity:</strong><br>
+Moderate</p>
+<p><strong>Versions Affected:</strong><br>
+All versions prior to 8.11.1. Affected platforms: Windows.</p>
+<p><strong>Description:</strong><br>
+An Improper Input Validation vulnerability in DataImportHandler of Apache Solr
allows an attacker to provide a Windows UNC path resulting in an SMB network
call being made from the Solr host to another host on the network. If the
attacker has wider access to the network, this may lead to SMB attacks, which
may result in:</p>
+<ul>
+<li>The exfiltration of sensitive data such as OS user hashes (NTLM/LM
hashes),</li>
+<li>In case of misconfigured systems, SMB Relay Attacks which can lead
to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code
Execution</li>
+</ul>
+<p>This issue affects all Apache Solr versions prior to 8.11.1. This
issue only affects Windows.</p>
+<p><strong>Mitigation:</strong><br>
+Upgrade to Solr 8.11.1, and/or ensure only trusted clients can make requests
to Solr's DataImport handler.</p>
+<p><strong>Credit:</strong><br>
+Apache Solr would like to thank LaiHan of Nsfocus security team for reporting
the issue</p>
+<p><strong>References:</strong><br>
+Jira issue <a
href="https://issues.apache.org/jira/browse/SOLR-15826">SOLR-15826</a></p></content><category
term="solr/security"></category></entry><entry><title>Apache Solr affected by
Apache Log4J CVE-2021-44228</title><link
href="/apache-solr-affected-by-apache-log4j-cve-2021-44228.html"
rel="alternate"></link><published>2021-12-10T00:00:00+00:00</published><updated>2021-12-10T00:00:00+00:00</updated><author><name>Solr
Developers</name></author><id>tag:None,2021-12-1 [...]
Critical</p>
<p><strong>Versions Affected:</strong>
7.4.0 to 7.7.3, 8.0.0 to 8.11.0</p>
diff --git a/output/index.html b/output/index.html
index ab2de45..f162f74 100644
--- a/output/index.html
+++ b/output/index.html
@@ -112,7 +112,7 @@
</div>
<div class="header-fill"></div>
-<section class="security" latest-date="2021-12-10">
+<section class="security" latest-date="2021-12-18">
<div class="row">
<div class="large-12 columns text-center">
<h2><a href="security.html">⚠ There are recent security
announcements. Read more on the Security page.</a></h2>
diff --git a/output/news.html b/output/news.html
index df9727c..2d00237 100644
--- a/output/news.html
+++ b/output/news.html
@@ -132,6 +132,26 @@
<h1 id="solr-news">Solr<sup>™</sup> News<a class="headerlink"
href="#solr-news" title="Permanent link">¶</a></h1>
<p>You may also read these news as an <a
href="/feeds/solr/news.atom.xml">ATOM feed</a>.</p>
+ <h2
id="cve-2021-44548-apache-solr-information-disclosure-vulnerability-through-dataimporthandler">18
December 2021, CVE-2021-44548: Apache Solr information disclosure
vulnerability through DataImportHandler
+ <a class="headerlink"
href="#cve-2021-44548-apache-solr-information-disclosure-vulnerability-through-dataimporthandler"
title="Permanent link">¶</a>
+ </h2>
+ <p><strong>Severity:</strong><br>
+Moderate</p>
+<p><strong>Versions Affected:</strong><br>
+All versions prior to 8.11.1. Affected platforms: Windows.</p>
+<p><strong>Description:</strong><br>
+An Improper Input Validation vulnerability in DataImportHandler of Apache Solr
allows an attacker to provide a Windows UNC path resulting in an SMB network
call being made from the Solr host to another host on the network. If the
attacker has wider access to the network, this may lead to SMB attacks, which
may result in:</p>
+<ul>
+<li>The exfiltration of sensitive data such as OS user hashes (NTLM/LM
hashes),</li>
+<li>In case of misconfigured systems, SMB Relay Attacks which can lead to user
impersonation on SMB Shares or, in a worse-case scenario, Remote Code
Execution</li>
+</ul>
+<p>This issue affects all Apache Solr versions prior to 8.11.1. This issue
only affects Windows.</p>
+<p><strong>Mitigation:</strong><br>
+Upgrade to Solr 8.11.1, and/or ensure only trusted clients can make requests
to Solr's DataImport handler.</p>
+<p><strong>Credit:</strong><br>
+Apache Solr would like to thank LaiHan of Nsfocus security team for reporting
the issue</p>
+<p><strong>References:</strong><br>
+Jira issue <a
href="https://issues.apache.org/jira/browse/SOLR-15826";>SOLR-15826</a></p>
<h2 id="apache-solrtm-8111-available">16 December 2021, Apache Solr™ 8.11.1
available
<a class="headerlink" href="#apache-solrtm-8111-available"
title="Permanent link">¶</a>
</h2>
diff --git a/output/operator/index.html b/output/operator/index.html
index ce2e06b..273d35f 100644
--- a/output/operator/index.html
+++ b/output/operator/index.html
@@ -107,7 +107,7 @@
</div>
<div class="header-fill"></div>
-<section class="security" latest-date="2021-12-10">
+<section class="security" latest-date="2021-12-18">
<div class="row">
<div class="large-12 columns text-center">
<h2><a href="/security.html">⚠ There are recent security
announcements. Read more on the Solr Security page.</a></h2>
diff --git a/output/security.html b/output/security.html
index e750fe0..6cec587 100644
--- a/output/security.html
+++ b/output/security.html
@@ -140,6 +140,11 @@ Then please disclose responsibly by following <a
href="https://www.apache.org/se
<th>Announcement</th>
</tr>
<tr>
+ <td><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-44548";>CVE-2021-44548</a></td>
+ <td>2021-12-18</td>
+ <td><a
href="#cve-2021-44548-apache-solr-information-disclosure-vulnerability-through-dataimporthandler">Apache
Solr information disclosure vulnerability through DataImportHandler</a></td>
+ </tr>
+ <tr>
<td><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-44228";>CVE-2021-44228</a></td>
<td>2021-12-10</td>
<td><a
href="#apache-solr-affected-by-apache-log4j-cve-2021-44228">Apache Solr
affected by Apache Log4J CVE-2021-44228</a></td>
@@ -209,13 +214,29 @@ Then please disclose responsibly by following <a
href="https://www.apache.org/se
<td>2018-04-08</td>
<td><a
href="#cve-2018-1308-xxe-attack-through-apache-solrs-dihs-dataconfig-request-parameter">XXE
attack through Apache Solr's DIH's dataConfig request parameter</a></td>
</tr>
- <tr>
- <td><a
href="https://nvd.nist.gov/vuln/detail/CVE-2016-6809";>CVE-2016-6809</a></td>
- <td>2017-10-26</td>
- <td><a
href="#cve-2016-6809-java-code-execution-for-serialized-objects-embedded-in-matlab-files-parsed-by-apache-solr-using-tika">Java
code execution for serialized objects embedded in MATLAB files parsed by
Apache Solr using Tika</a></td>
- </tr>
</table>
+ <h2
id="cve-2021-44548-apache-solr-information-disclosure-vulnerability-through-dataimporthandler">2021-12-18,
CVE-2021-44548: Apache Solr information disclosure vulnerability through
DataImportHandler
+ <a class="headerlink"
href="#cve-2021-44548-apache-solr-information-disclosure-vulnerability-through-dataimporthandler"
title="Permanent link">¶</a>
+ </h2>
+ <p><strong>Severity:</strong><br>
+Moderate</p>
+<p><strong>Versions Affected:</strong><br>
+All versions prior to 8.11.1. Affected platforms: Windows.</p>
+<p><strong>Description:</strong><br>
+An Improper Input Validation vulnerability in DataImportHandler of Apache Solr
allows an attacker to provide a Windows UNC path resulting in an SMB network
call being made from the Solr host to another host on the network. If the
attacker has wider access to the network, this may lead to SMB attacks, which
may result in:</p>
+<ul>
+<li>The exfiltration of sensitive data such as OS user hashes (NTLM/LM
hashes),</li>
+<li>In case of misconfigured systems, SMB Relay Attacks which can lead to user
impersonation on SMB Shares or, in a worse-case scenario, Remote Code
Execution</li>
+</ul>
+<p>This issue affects all Apache Solr versions prior to 8.11.1. This issue
only affects Windows.</p>
+<p><strong>Mitigation:</strong><br>
+Upgrade to Solr 8.11.1, and/or ensure only trusted clients can make requests
to Solr's DataImport handler.</p>
+<p><strong>Credit:</strong><br>
+Apache Solr would like to thank LaiHan of Nsfocus security team for reporting
the issue</p>
+<p><strong>References:</strong><br>
+Jira issue <a
href="https://issues.apache.org/jira/browse/SOLR-15826";>SOLR-15826</a></p>
+ <hr/>
<h2 id="apache-solr-affected-by-apache-log4j-cve-2021-44228">2021-12-10,
Apache Solr affected by Apache Log4J CVE-2021-44228
<a class="headerlink"
href="#apache-solr-affected-by-apache-log4j-cve-2021-44228" title="Permanent
link">¶</a>
</h2>
@@ -625,41 +646,6 @@ secure Solr servers.</p>
<p>[1] <a
href="https://issues.apache.org/jira/browse/SOLR-11971";>https://issues.apache.org/jira/browse/SOLR-11971</a><br>
[2] <a
href="https://cwiki.apache.org/confluence/display/solr/SolrSecurity";>https://cwiki.apache.org/confluence/display/solr/SolrSecurity</a></p>
<hr/>
- <h2
id="cve-2016-6809-java-code-execution-for-serialized-objects-embedded-in-matlab-files-parsed-by-apache-solr-using-tika">2017-10-26,
CVE-2016-6809: Java code execution for serialized objects embedded in MATLAB
files parsed by Apache Solr using Tika
- <a class="headerlink"
href="#cve-2016-6809-java-code-execution-for-serialized-objects-embedded-in-matlab-files-parsed-by-apache-solr-using-tika"
title="Permanent link">¶</a>
- </h2>
- <p><strong>Severity:</strong> Important</p>
-<p><strong>Vendor:</strong><br>
-The Apache Software Foundation</p>
-<p><strong>Versions Affected:</strong></p>
-<ul>
-<li>Solr 5.0.0 to 5.5.4</li>
-<li>Solr 6.0.0 to 6.6.1</li>
-<li>Solr 7.0.0 to 7.0.1</li>
-</ul>
-<p><strong>Description:</strong><br>
-Apache Solr uses Apache Tika for parsing binary file types such as
-doc, xls, pdf etc. Apache Tika wraps the jmatio parser
-(https://github.com/gradusnikov/jmatio) to handle MATLAB files. The
-parser uses native deserialization on serialized Java objects embedded
-in MATLAB files. A malicious user could inject arbitrary code into a
-MATLAB file that would be executed when the object is deserialized.</p>
-<p>This vulnerability was originally described at
-http://mail-archives.apache.org/mod_mbox/tika-user/201611.mbox/%3C2125912914.1308916.1478787314903%40mail.yahoo.com%3E</p>
-<p><strong>Mitigation:</strong><br>
-Users are advised to upgrade to either Solr 5.5.5 or Solr 6.6.2 or Solr 7.1.0
-releases which have fixed this vulnerability.</p>
-<p>Solr 5.5.5 upgrades the jmatio parser to v1.2 and disables the Java
-deserialisation support to protect against this vulnerability.</p>
-<p>Solr 6.6.2 and Solr 7.1.0 have upgraded the bundled Tika to v1.16.</p>
-<p>Once upgrade is complete, no other steps are required.</p>
-<p><strong>References:</strong></p>
-<ul>
-<li><a
href="https://issues.apache.org/jira/browse/SOLR-11486";>https://issues.apache.org/jira/browse/SOLR-11486</a></li>
-<li><a
href="https://issues.apache.org/jira/browse/SOLR-10335";>https://issues.apache.org/jira/browse/SOLR-10335</a></li>
-<li><a
href="https://cwiki.apache.org/confluence/display/solr/SolrSecurity";>https://cwiki.apache.org/confluence/display/solr/SolrSecurity</a></li>
-</ul>
- <hr/>
</div>
</div>
</div>
