Hi, Unfortunately there won't be a new 8.x release due to its EOL, see https://solr.staged.apache.org/news.html#solr-8-reaches-end-of-life
When it comes to CVE-2024-23454, it talks about Hadoop’s RunJar.run(), and this is not a part of the library that we use, it is used for HDFS only. So most likely the vulnerablility is not exploitable in Solr. We very much encourage you to start planning the upgrade to version 9.x, or else you'll not be prepared once some real vulnerabilities are discovered in 8.x. Jan > 18. mars 2025 kl. 10:08 skrev Octavio González <ogonza...@emergya.com>: > > Hello, > I have been a Solr user for quite some time, but I have never participated > in these mail lists nor contributed to the project, so sorry about that. > In our project, we are using Apache Solr 8.11.3, and we have been told > about some vulnerabilities affecting a library included in this version ( > *Hadoop* v3.2.4): CVE-2024-23454 > <https://nvd.nist.gov/vuln/detail/cve-2024-23454> and EOL > <https://endoflife.date/apache-hadoop>. > We have checked, and the last Solr v8.x version (8.11.4), which solves > other critical vulnerabilities (CVE-2024-45217 > <https://nvd.nist.gov/vuln/detail/CVE-2024-45217>,CVE-2024-45216 > <https://nvd.nist.gov/vuln/detail/CVE-2024-45216>), still uses this version > of *Hadoop*, but we have not found anything about it in Jira, so we have > downloaded the sources and changed directly the version number on > *./lucene/ivy-versions.properties > *to 3.4.0. After that, we have built the project and deployed it, and > everything seems to be working fine so far. > Could you please consider applying this change for the next Solr 8.x > release? > Thank you very much. > Best, > > Octavio González Luna > > Software Architect > > Tlf.: +34 954 51 75 77 > > > *LEGAL NOTICE* --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org For additional commands, e-mail: dev-h...@solr.apache.org
