[jira] [Resolved] (SOLR-13111) CVE-2017-1000190 Threat Level 9 Against Solr v7.6. org.simpleframework : simple-xml : 2.7.1. SimpleXML (latest version 2.7.1) is vulnerable to an XXE vulnerability resulting SSRF, information disclosure, DoS and so on.

Cassandra Targett (JIRA) Fri, 04 Jan 2019 13:40:08 -0800


     [ 
https://issues.apache.org/jira/browse/SOLR-13111?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Cassandra Targett resolved SOLR-13111.
--------------------------------------
    Resolution: Invalid

The vulnerability reported by the scanner is a false positive. It is not 
possible to exploit the vulnerability in this dependency in Solr.

We have created a page that includes this and several other dependencies that 
are flagged and explains how they are not true vulnerabilities for Solr: 
https://wiki.apache.org/solr/SolrSecurity#Solr_and_Vulnerability_Scanning_Tools.
 I investigated this dependency and added this .jar today since the .jar is 
only needed during compilation and not runtime.

If you had discovered a real vulnerability, the ASF has created guidelines for 
how to report it, detailed here: https://www.apache.org/security/. Ideally, a 
report is sent to [email protected] first, but if a JIRA is created first 
instead, you are encouraged to mark the issue as private so attack vectors are 
not exposed to the general public before they can be mitigated by the community 
in the form of patches or new releases.

> CVE-2017-1000190  Threat Level 9 Against Solr v7.6.  org.simpleframework : 
> simple-xml : 2.7.1. SimpleXML (latest version 2.7.1) is vulnerable to an XXE 
> vulnerability resulting SSRF, information disclosure, DoS and so on. 
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SOLR-13111
>                 URL: https://issues.apache.org/jira/browse/SOLR-13111
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: 7.6
>         Environment: RedHat Linux.    May run from RHEL versions 5, 6 or 7 
> but this issue is from Sonatype component scan and should be independent of 
> Linux platform version.
>            Reporter: RobertHathaway
>            Priority: Blocker
>
> We can't move to Solr 7 without fixing this issue flagged by Sonatype scan Of 
> Solr - 7.6.0 Build,
> Using Scanner 1.56.0-01
> Threat Level 9       Against Solr v7.6.  org.simpleframework 
> SimpleXML (latest version 2.7.1) is vulnerable to an XXE vulnerability 
> resulting SSRF, information disclosure, DoS and so on. 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000190



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Resolved] (SOLR-13111) CVE-2017-1000190 Threat Level 9 Against Solr v7.6. org.simpleframework : simple-xml : 2.7.1. SimpleXML (latest version 2.7.1) is vulnerable to an XXE vulnerability resulting SSRF, information disclosure, DoS and so on.

Reply via email to