[
https://issues.apache.org/jira/browse/SOLR-16464?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17620731#comment-17620731
]
Kevin Risden commented on SOLR-16464:
-------------------------------------
This just made it into 9.1.
Regarding hadoop-auth and commons-configuration2 and commons-text there is a
statement about a previous CVE related to interpolation for
commons-configuration2:
* https://commons.apache.org/proper/commons-configuration/security.html
The gist of it being - if you load configuration from an unknown source - then
there is a chance of RCE. This would be no different for commons-configuration2
using commons-text. I don't know of any way in Solr to load an untrusted
configuration file. hadoop-auth will read config files from
classpath/filesystem (ie: core-site.xml or hadoop-site.xml) but those are
trusted since only admin should be setting those up. They aren't user provided
configuration files.
> Upgrade commons-text to 1.10.0
> ------------------------------
>
> Key: SOLR-16464
> URL: https://issues.apache.org/jira/browse/SOLR-16464
> Project: Solr
> Issue Type: Task
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Build, Hadoop Integration
> Reporter: Kevin Risden
> Assignee: Kevin Risden
> Priority: Minor
> Fix For: 9.1, main (10.0), 8.11.3
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> commons-text should be upgraded to 1.10.0 -
> https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
