[jira] [Commented] (SOLR-15855) CVEs in shadowed dependencies

Tue, 21 Dec 2021 21:22:38 -0800 


    [ 
https://issues.apache.org/jira/browse/SOLR-15855?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17463586#comment-17463586
 ] 

David Smiley commented on SOLR-15855:
-------------------------------------

I made this issue "public" because private issues are for discussing non-public 
information.

AFAIK, HTrace has to be expressly enabled.  Right [~mdrob]?

Test-framework: We could easily clamp down on our dockerfile to remove the test 
framework and its dependencies.  That'd be its own issue for Solr 9 here in the 
project.  If you wish to affect 8.11.x, it's in another place: 
https://github.com/docker-solr/docker-solr


> CVEs in shadowed dependencies
> -----------------------------
>
>                 Key: SOLR-15855
>                 URL: https://issues.apache.org/jira/browse/SOLR-15855
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: 8.11.1
>            Reporter: Chris Adams
>            Priority: Major
>
> Our Solr deployments had a number of CVEs flagged due to shadowed 
> dependencies in some non-core components:
>  *  htrace-core4 pulls in jackson-databind, and hasn't been updated in many 
> years since the project shut down around 2016. This leaves around 50 critical 
> CVEs — although it's not clear whether any of these are actually exploitable 
> in the Solr configuration it will generate a lot of noise for Solr users in 
> security-conscious environments.
> This doesn't appear to be a hard dependency for Solr in normal use but I see 
> that the HBase project has a plan to replace it with a shim: 
> https://issues.apache.org/jira/browse/HBASE-24802
>  * The test framework pulls in junit4-ant which has an old simple-xml 
> vulnerable to 
> [CVE-2017-1000190|https://nvd.nist.gov/vuln/detail/CVE-2017-1000190]: 
> /opt/solr-8.11.1/dist/test-framework/lib/junit4-ant-2.7.2.jar



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to