[jira] [Commented] (SOLR-16333) CVE-2021-22569 | CVSS 7 | com.google.protobuf_protobuf-java

Thu, 11 Aug 2022 17:05:04 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-16333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17578735#comment-17578735
 ] 

Chris Sabelstrom commented on SOLR-16333:
-----------------------------------------

Hi [~janhoy], I understand that the existence of a CVE in a Solr dependency 
does not necessarily mean that it can be exploited. We have our application 
(which uses Solr) deployed in several US GovCloud environments. These 
environments require continuous vulnerability scanning and remediation in order 
to maintain proper certification. If a vulnerability is found, I have to fix it 
within a set schedule or if it's in 3rd party software claim a vendor 
dependency. If claiming a vendor dependency, it is required to open a ticket 
with the vendor requesting a fix. You may choose to not fix this CVE but I must 
open a ticket to maintain our certification. Finally, it is a best practice to 
keep component libraries current to minimize bugs and vulnerabilities. I hope 
you will try to address most CVE's even if they are deemed not exploitable. In 
most cases I find it easier to fix vulnerabilities than to try and 
prove/explain why they cannot be exploited.

> CVE-2021-22569 | CVSS 7 | com.google.protobuf_protobuf-java
> -----------------------------------------------------------
>
>                 Key: SOLR-16333
>                 URL: https://issues.apache.org/jira/browse/SOLR-16333
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: 9.0, 8.11.2
>            Reporter: Chris Sabelstrom
>            Priority: Major
>         Attachments: image-2022-08-09-10-14-07-215.png
>
>
> Our security scanner detected the following vulnerability. Please upgrade to 
> version noted in Status column. Please fix this for 8.11 as well as 9.0.
> !image-2022-08-09-10-14-07-215.png!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to