Solr interacts with Hadoop only as a client. (except in integration tests). >From the https://hadoop.apache.org/cve_list.html page, this looks like it is only an issue in the fsimage which is server side for the Namenode. I don't think that CVE-2018-11768 applies to Solr directly.
CVE-2018-11768 Apache Hadoop HDFS FSImage Corruption There is a mismatch in the size of the fields used to store user/group information between memory and disk representation. This causes the user/group information to be corrupted across storing in fsimage and reading back from fsimage. This vulnerability fix contains a fsimage layout change, so once the image is saved in the new layout format you cannot go back to a version that doesn’t support the newer layout. This means that once 2.7.x users upgraded to the fixed version, they cannot downgrade to 2.7.x because there is no fixed version in 2.7.x. We suggest downgrade to 2.8.5 or upper version that contains the vulnerability fix. Kevin Risden On Tue, Oct 29, 2019 at 12:52 PM Kyle Gerald Lamkin <kyle.lam...@ibm.com> wrote: > Hello Solr Devs, > > > > I'm looking for some information about CVE-2018-11768, a Hadoop > vulnerability. In 7.7.2 Solr ships with Hadoop 2.7.4 which is affected, the > closest fixed version is 2.8.5. Solr 8.x ships with Hadoop 3.2 which is not > affected. > > > > I was unable to find an Jira item for this, should I open one for it or is > it not applicable? > > > > Thanks for your time. > > > Regards, > > *Kyle (K.G.) Lamkin* > ------------------------------ > E-mail: kyle.lam...@ibm.com > > > --------------------------------------------------------------------- To > unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional > commands, e-mail: dev-h...@lucene.apache.org
