This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/solr-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new 75abf9702 Automatic Site Publish by Buildbot
75abf9702 is described below
commit 75abf97028ea1c5f4d78c0dc2cb7fb312dc95fa9
Author: buildbot <[email protected]>
AuthorDate: Fri Apr 12 15:05:29 2024 +0000
Automatic Site Publish by Buildbot
---
output/feeds/all.atom.xml | 23 +++++++++++-
output/feeds/solr/security.atom.xml | 23 +++++++++++-
output/index.html | 2 +-
output/news.html | 19 ++++++++++
output/operator/index.html | 2 +-
output/security.html | 71 +++++++++++++------------------------
6 files changed, 90 insertions(+), 50 deletions(-)
diff --git a/output/feeds/all.atom.xml b/output/feeds/all.atom.xml
index 17330b469..6e402c987 100644
--- a/output/feeds/all.atom.xml
+++ b/output/feeds/all.atom.xml
@@ -15,7 +15,28 @@
<p><a
href="https://apache.github.io/solr-operator/docs/upgrade-notes.html">https://apache.github.io/solr-operator/docs/upgrade-notes.html</a></p>
<p>For the most exhaustive list, see the change log on ArtifactHub or
view the git history in the solr-operator repo.</p>
<p><a
href="https://artifacthub.io/packages/helm/apache-solr/solr-operator?modal=changelog">https://artifacthub.io/packages/helm/apache-solr/solr-operator?modal=changelog</a></p>
-<p><a
href="https://github.com/apache/solr-operator/releases/tag/v0.8.1">https://github.com/apache/solr-operator/releases/tag/v0.8.1</a></p></content><category
term="solr/operator/news"></category></entry><entry><title>Apache Solr™ 9.5.0
available</title><link href="/apache-solrtm-950-available.html"
rel="alternate"></link><published>2024-02-12T00:00:00+00:00</published><updated>2024-02-12T00:00:00+00:00</updated><author><name>Solr
Developers</name></author><id>ta [...]
+<p><a
href="https://github.com/apache/solr-operator/releases/tag/v0.8.1">https://github.com/apache/solr-operator/releases/tag/v0.8.1</a></p></content><category
term="solr/operator/news"></category></entry><entry><title>CVE-2024-31391:
Solr-Operator liveness and readiness probes may leak basic auth
credentials</title><link
href="/cve-2024-31391-solr-operator-liveness-and-readiness-probes-may-leak-basic-auth-credentials.html"
rel="alternate"></link><published>2024-0 [...]
+Moderate</p>
+<p><strong>Versions Affected:</strong><br>
+Solr Operator 0.3.0 to 0.8.0</p>
+<p><strong>Description:</strong>
+Insertion of Sensitive Information into Log File vulnerability in the Apache
Solr Operator.</p>
+<p>The Solr sked to bootstrap Solr security, the operator will enable
basic authentication and create several accounts for accessing Solr: including
the "solr …</p></summary><content
type="html"><p><strong>Severity:</strong><br>
+Moderate</p>
+<p><strong>Versions Affected:</strong><br>
+Solr Operator 0.3.0 to 0.8.0</p>
+<p><strong>Description:</strong>
+Insertion of Sensitive Information into Log File vulnerability in the Apache
Solr Operator.</p>
+<p>The Solr sked to bootstrap Solr security, the operator will enable
basic authentication and create several accounts for accessing Solr: including
the "solr" and "admin" accounts for use by end-users, and a "k8s-oper" account
which the operator uses for its own requests to Solr.
+One common source of these operator requests is healthchecks: liveness,
readiness, and startup probes are all used to determine Solr's health and
ability to receive traffic.
+By default, the operator configures the Solr APIs used for these probes to be
exempt from authentication, but users may specifically request that
authentication be required on probe endpoints as well.
+Whenever one of these probes would fail, if authentication was in use, the
Solr Operator would create a Kubernetes "event" containing the username and
password of the "k8s-oper" account.</p>
+<p>Within the affected version range, this vulnerability affects any
solrcloud resource which (1) bootstrapped security through use of the
<code>.solrOptions.security.authenticationType=basic</code> option,
and (2) required authentication be used on probes by setting
<code>.solrOptions.security.probesRequireAuth=true</code>.</p>
+<p><strong>Mitigation:</strong>
+Users are recommended to upgrade to Solr Operator version 0.8.1, which fixes
this issue by ensuring that probes no longer print the credentials used for
Solr requests. Users may also mitigate the vulnerability by disabling
authentication on their healthcheck probes using the setting
<code>.solrOptions.security.probesRequireAuth=false</code>.</p>
+<p><strong>References:</strong><br>
+JIRA - <a
href="https://issues.apache.org/jira/browse/SOLR-17216">SOLR-17216</a><br>
+CVE - <a
href="https://nvd.nist.gov/vuln/detail/CVE-2024-31391">CVE-2024-31391</a></p></content><category
term="solr/security"></category></entry><entry><title>Apache Solr™ 9.5.0
available</title><link href="/apache-solrtm-950-available.html"
rel="alternate"></link><published>2024-02-12T00:00:00+00:00</published><updated>2024-02-12T00:00:00+00:00</updated><author><name>Solr
Developers</name></author><id>tag:None,2024-02-12:/apache-solrtm-950-available.html</id><summary
[...]
<p>Solr is the popular, blazing fast, open source NoSQL search platform
from the Apache Solr project. Its major features include powerful full-text
search, hit highlighting, faceted search, dynamic clustering, database
integration, rich document handling, and …</p></summary><content
type="html"><p>The Solr PMC is pleased to announce the release of Apache
Solr 9.5.0.</p>
<p>Solr is the popular, blazing fast, open source NoSQL search platform
from the Apache Solr project. Its major features include powerful full-text
search, hit highlighting, faceted search, dynamic clustering, database
integration, rich document handling, and geospatial search. Solr is highly
scalable, providing fault tolerant distributed search and indexing, and powers
the search and navigation features of many of the world's largest internet
sites.</p>
<p>Solr 9.5.0 is available for immediate download at:</p>
diff --git a/output/feeds/solr/security.atom.xml
b/output/feeds/solr/security.atom.xml
index afc094cf4..d3356ba70 100644
--- a/output/feeds/solr/security.atom.xml
+++ b/output/feeds/solr/security.atom.xml
@@ -1,5 +1,26 @@
<?xml version="1.0" encoding="utf-8"?>
-<feed xmlns="http://www.w3.org/2005/Atom";><title>Apache Solr -
solr/security</title><link href="/" rel="alternate"></link><link
href="/feeds/solr/security.atom.xml"
rel="self"></link><id>/</id><updated>2024-02-08T00:00:00+00:00</updated><subtitle></subtitle><subtitle></subtitle><entry><title>CVE-2023-50291:
Apache Solr can leak certain passwords due to System Property redaction logic
inconsistencies</title><link
href="/cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-p
[...]
+<feed xmlns="http://www.w3.org/2005/Atom";><title>Apache Solr -
solr/security</title><link href="/" rel="alternate"></link><link
href="/feeds/solr/security.atom.xml"
rel="self"></link><id>/</id><updated>2024-04-12T00:00:00+00:00</updated><subtitle></subtitle><subtitle></subtitle><entry><title>CVE-2024-31391:
Solr-Operator liveness and readiness probes may leak basic auth
credentials</title><link
href="/cve-2024-31391-solr-operator-liveness-and-readiness-probes-may-leak-basic-auth-credenti
[...]
+Moderate</p>
+<p><strong>Versions Affected:</strong><br>
+Solr Operator 0.3.0 to 0.8.0</p>
+<p><strong>Description:</strong>
+Insertion of Sensitive Information into Log File vulnerability in the Apache
Solr Operator.</p>
+<p>The Solr sked to bootstrap Solr security, the operator will enable
basic authentication and create several accounts for accessing Solr: including
the "solr …</p></summary><content
type="html"><p><strong>Severity:</strong><br>
+Moderate</p>
+<p><strong>Versions Affected:</strong><br>
+Solr Operator 0.3.0 to 0.8.0</p>
+<p><strong>Description:</strong>
+Insertion of Sensitive Information into Log File vulnerability in the Apache
Solr Operator.</p>
+<p>The Solr sked to bootstrap Solr security, the operator will enable
basic authentication and create several accounts for accessing Solr: including
the "solr" and "admin" accounts for use by end-users, and a "k8s-oper" account
which the operator uses for its own requests to Solr.
+One common source of these operator requests is healthchecks: liveness,
readiness, and startup probes are all used to determine Solr's health and
ability to receive traffic.
+By default, the operator configures the Solr APIs used for these probes to be
exempt from authentication, but users may specifically request that
authentication be required on probe endpoints as well.
+Whenever one of these probes would fail, if authentication was in use, the
Solr Operator would create a Kubernetes "event" containing the username and
password of the "k8s-oper" account.</p>
+<p>Within the affected version range, this vulnerability affects any
solrcloud resource which (1) bootstrapped security through use of the
<code>.solrOptions.security.authenticationType=basic</code> option,
and (2) required authentication be used on probes by setting
<code>.solrOptions.security.probesRequireAuth=true</code>.</p>
+<p><strong>Mitigation:</strong>
+Users are recommended to upgrade to Solr Operator version 0.8.1, which fixes
this issue by ensuring that probes no longer print the credentials used for
Solr requests. Users may also mitigate the vulnerability by disabling
authentication on their healthcheck probes using the setting
<code>.solrOptions.security.probesRequireAuth=false</code>.</p>
+<p><strong>References:</strong><br>
+JIRA - <a
href="https://issues.apache.org/jira/browse/SOLR-17216">SOLR-17216</a><br>
+CVE - <a
href="https://nvd.nist.gov/vuln/detail/CVE-2024-31391">CVE-2024-31391</a></p></content><category
term="solr/security"></category></entry><entry><title>CVE-2023-50291: Apache
Solr can leak certain passwords due to System Property redaction logic
inconsistencies</title><link
href="/cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies.html"
rel="alternate"></link><published>2024-02-08T00:00:00+00:00</publishe [...]
Moderate</p>
<p><strong>Versions Affected:</strong></p>
<ul>
diff --git a/output/index.html b/output/index.html
index ee8cfd546..35b4d6339 100644
--- a/output/index.html
+++ b/output/index.html
@@ -112,7 +112,7 @@
</div>
<div class="header-fill"></div>
-<section class="security" latest-date="2024-02-08">
+<section class="security" latest-date="2024-04-12">
<div class="row">
<div class="large-12 columns text-center">
<h2><a href="security.html">⚠ There are recent security
announcements. Read more on the Security page.</a></h2>
diff --git a/output/news.html b/output/news.html
index 10043f1d0..3e24353c7 100644
--- a/output/news.html
+++ b/output/news.html
@@ -132,6 +132,25 @@
<h1 id="solr-news">Solr<sup>™</sup> News<a class="headerlink"
href="#solr-news" title="Permanent link">¶</a></h1>
<p>You may also read these news as an <a
href="/feeds/solr/news.atom.xml">ATOM feed</a>.</p>
+ <h2
id="cve-2024-31391-solr-operator-liveness-and-readiness-probes-may-leak-basic-auth-credentials">12
April 2024, CVE-2024-31391: Solr-Operator liveness and readiness probes may
leak basic auth credentials
+ <a class="headerlink"
href="#cve-2024-31391-solr-operator-liveness-and-readiness-probes-may-leak-basic-auth-credentials"
title="Permanent link">¶</a>
+ </h2>
+ <p><strong>Severity:</strong><br>
+Moderate</p>
+<p><strong>Versions Affected:</strong><br>
+Solr Operator 0.3.0 to 0.8.0</p>
+<p><strong>Description:</strong>
+Insertion of Sensitive Information into Log File vulnerability in the Apache
Solr Operator.</p>
+<p>The Solr sked to bootstrap Solr security, the operator will enable basic
authentication and create several accounts for accessing Solr: including the
"solr" and "admin" accounts for use by end-users, and a "k8s-oper" account
which the operator uses for its own requests to Solr.
+One common source of these operator requests is healthchecks: liveness,
readiness, and startup probes are all used to determine Solr's health and
ability to receive traffic.
+By default, the operator configures the Solr APIs used for these probes to be
exempt from authentication, but users may specifically request that
authentication be required on probe endpoints as well.
+Whenever one of these probes would fail, if authentication was in use, the
Solr Operator would create a Kubernetes "event" containing the username and
password of the "k8s-oper" account.</p>
+<p>Within the affected version range, this vulnerability affects any solrcloud
resource which (1) bootstrapped security through use of the
<code>.solrOptions.security.authenticationType=basic</code> option, and (2)
required authentication be used on probes by setting
<code>.solrOptions.security.probesRequireAuth=true</code>.</p>
+<p><strong>Mitigation:</strong>
+Users are recommended to upgrade to Solr Operator version 0.8.1, which fixes
this issue by ensuring that probes no longer print the credentials used for
Solr requests. Users may also mitigate the vulnerability by disabling
authentication on their healthcheck probes using the setting
<code>.solrOptions.security.probesRequireAuth=false</code>.</p>
+<p><strong>References:</strong><br>
+JIRA - <a
href="https://issues.apache.org/jira/browse/SOLR-17216";>SOLR-17216</a><br>
+CVE - <a
href="https://nvd.nist.gov/vuln/detail/CVE-2024-31391";>CVE-2024-31391</a></p>
<h2 id="apache-solrtm-950-available">12 February 2024, Apache Solr™ 9.5.0
available
<a class="headerlink" href="#apache-solrtm-950-available" title="Permanent
link">¶</a>
</h2>
diff --git a/output/operator/index.html b/output/operator/index.html
index aabfcfe4c..35c5a27e2 100644
--- a/output/operator/index.html
+++ b/output/operator/index.html
@@ -107,7 +107,7 @@
</div>
<div class="header-fill"></div>
-<section class="security" latest-date="2024-02-08">
+<section class="security" latest-date="2024-04-12">
<div class="row">
<div class="large-12 columns text-center">
<h2><a href="/security.html">⚠ There are recent security
announcements. Read more on the Solr Security page.</a></h2>
diff --git a/output/security.html b/output/security.html
index 3ceee6be5..c0afeacd2 100644
--- a/output/security.html
+++ b/output/security.html
@@ -187,6 +187,11 @@ with you to see if we can provide this information in
other variations or format
<th width="95">Date</th>
<th>Announcement</th>
</tr>
+ <tr>
+ <td><a
href="https://nvd.nist.gov/vuln/detail/CVE-2024-31391";>CVE-2024-31391</a></td>
+ <td>2024-04-12</td>
+ <td><a
href="#cve-2024-31391-solr-operator-liveness-and-readiness-probes-may-leak-basic-auth-credentials">Solr-Operator
liveness and readiness probes may leak basic auth credentials</a></td>
+ </tr>
<tr>
<td><a
href="https://nvd.nist.gov/vuln/detail/CVE-2023-50291";>CVE-2023-50291</a></td>
<td>2024-02-08</td>
@@ -257,13 +262,28 @@ with you to see if we can provide this information in
other variations or format
<td>2019-12-30</td>
<td><a
href="#cve-2019-17558-apache-solr-rce-through-velocityresponsewriter">Apache
Solr RCE through VelocityResponseWriter</a></td>
</tr>
- <tr>
- <td><a
href="https://nvd.nist.gov/vuln/detail/CVE-2019-12409";>CVE-2019-12409</a></td>
- <td>2019-11-18</td>
- <td><a
href="#cve-2019-12409-apache-solr-rce-vulnerability-due-to-bad-config-default">Apache
Solr RCE vulnerability due to bad config default</a></td>
- </tr>
</table>
+ <h2
id="cve-2024-31391-solr-operator-liveness-and-readiness-probes-may-leak-basic-auth-credentials">2024-04-12,
CVE-2024-31391: Solr-Operator liveness and readiness probes may leak basic
auth credentials
+ <a class="headerlink"
href="#cve-2024-31391-solr-operator-liveness-and-readiness-probes-may-leak-basic-auth-credentials"
title="Permanent link">¶</a>
+ </h2>
+ <p><strong>Severity:</strong><br>
+Moderate</p>
+<p><strong>Versions Affected:</strong><br>
+Solr Operator 0.3.0 to 0.8.0</p>
+<p><strong>Description:</strong>
+Insertion of Sensitive Information into Log File vulnerability in the Apache
Solr Operator.</p>
+<p>The Solr sked to bootstrap Solr security, the operator will enable basic
authentication and create several accounts for accessing Solr: including the
"solr" and "admin" accounts for use by end-users, and a "k8s-oper" account
which the operator uses for its own requests to Solr.
+One common source of these operator requests is healthchecks: liveness,
readiness, and startup probes are all used to determine Solr's health and
ability to receive traffic.
+By default, the operator configures the Solr APIs used for these probes to be
exempt from authentication, but users may specifically request that
authentication be required on probe endpoints as well.
+Whenever one of these probes would fail, if authentication was in use, the
Solr Operator would create a Kubernetes "event" containing the username and
password of the "k8s-oper" account.</p>
+<p>Within the affected version range, this vulnerability affects any solrcloud
resource which (1) bootstrapped security through use of the
<code>.solrOptions.security.authenticationType=basic</code> option, and (2)
required authentication be used on probes by setting
<code>.solrOptions.security.probesRequireAuth=true</code>.</p>
+<p><strong>Mitigation:</strong>
+Users are recommended to upgrade to Solr Operator version 0.8.1, which fixes
this issue by ensuring that probes no longer print the credentials used for
Solr requests. Users may also mitigate the vulnerability by disabling
authentication on their healthcheck probes using the setting
<code>.solrOptions.security.probesRequireAuth=false</code>.</p>
+<p><strong>References:</strong><br>
+JIRA - <a
href="https://issues.apache.org/jira/browse/SOLR-17216";>SOLR-17216</a><br>
+CVE - <a
href="https://nvd.nist.gov/vuln/detail/CVE-2024-31391";>CVE-2024-31391</a></p>
+ <hr/>
<h2
id="cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies">2024-02-08,
CVE-2023-50291: Apache Solr can leak certain passwords due to System Property
redaction logic inconsistencies
<a class="headerlink"
href="#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies"
title="Permanent link">¶</a>
</h2>
@@ -621,47 +641,6 @@ Github user <code>s00py</code></p>
<li><a
href="https://issues.apache.org/jira/browse/SOLR-14025";>https://issues.apache.org/jira/browse/SOLR-14025</a></li>
<li><a
href="https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity";>https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity</a></li>
</ul>
- <hr/>
- <h2
id="cve-2019-12409-apache-solr-rce-vulnerability-due-to-bad-config-default">2019-11-18,
CVE-2019-12409: Apache Solr RCE vulnerability due to bad config default
- <a class="headerlink"
href="#cve-2019-12409-apache-solr-rce-vulnerability-due-to-bad-config-default"
title="Permanent link">¶</a>
- </h2>
- <p><strong>Severity:</strong>
-High</p>
-<p><strong>Vendor:</strong><br>
-The Apache Software Foundation</p>
-<p><strong>Versions Affected:</strong><br>
-Solr 8.1.1 and 8.2.0 for Linux</p>
-<p><strong>Description:</strong><br>
-The 8.1.1 and 8.2.0 releases of Apache Solr contain an
-insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option
-in the default solr.in.sh configuration file shipping with Solr.</p>
-<p>Windows users are not affected.</p>
-<p>If you use the default solr.in.sh file from the affected releases, then
-JMX monitoring will be enabled and exposed on RMI_PORT (default=18983),
-without any authentication. If this port is opened for inbound traffic
-in your firewall, then anyone with network access to your Solr nodes
-will be able to access JMX, which may in turn allow them to upload
-malicious code for execution on the Solr server.</p>
-<p>The vulnerability is already public [1] and mitigation steps were
-announced on project mailing lists and news page [3] on August 14th,
-without mentioning RCE at that time.</p>
-<p><strong>Mitigation:</strong><br>
-Make sure your effective solr.in.sh file has ENABLE_REMOTE_JMX_OPTS set
-to 'false' on every Solr node and then restart Solr. Note that the
-effective solr.in.sh file may reside in /etc/defaults/ or another
-location depending on the install. You can then validate that the
-'com.sun.management.jmxremote*' family of properties are not listed in
-the "Java Properties" section of the Solr Admin UI, or configured in a
-secure way.</p>
-<p>There is no need to upgrade or update any code.</p>
-<p>Remember to follow the Solr Documentation's advice to never expose Solr
-nodes directly in a hostile network environment.</p>
-<p><strong>Credit:</strong><br>
-Matei "Mal" Badanoiu<br>
-Solr JIRA user 'jnyryan' (John)</p>
-<p><strong>References:</strong><br>
-[1] https://issues.apache.org/jira/browse/SOLR-13647<br>
-[3] https://solr.apache.org/news.html</p>
<hr/>
<h1 id="cve-reports-for-apache-solr-dependencies">CVE reports for Apache
Solr dependencies</h1>
<p>Below is a list of CVE vulnerabilities in Apache Solr dependencies, and
the state of their applicability to Solr.</p>
